areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0052-ipatests-add-upgrade-test-for-double-encoded-cacert.patch

21de49
From 57a473bd41fbd3520871dbd7ed7dc9524946a48e Mon Sep 17 00:00:00 2001
21de49
From: Florence Blanc-Renaud <flo@redhat.com>
21de49
Date: Thu, 29 Nov 2018 15:41:33 +0100
21de49
Subject: [PATCH] ipatests: add upgrade test for double-encoded cacert
21de49
21de49
Create a test for upgrade with the following scenario:
21de49
- install master
21de49
- write a double-encoded cert in the entry
21de49
cn=cacert,,cn=ipa,cn=etc,$basedn
21de49
to simulate bug 7775
21de49
- call ipa-server-upgrade
21de49
- check that the upgrade fixed the value
21de49
21de49
The upgrade should finish successfully and repair
21de49
the double-encoded cert.
21de49
21de49
Related to https://pagure.io/freeipa/issue/7775
21de49
21de49
Reviewed-By: Christian Heimes <cheimes@redhat.com>
21de49
---
21de49
 ipatests/test_integration/test_upgrade.py | 35 +++++++++++++++++++++++
21de49
 1 file changed, 35 insertions(+)
21de49
21de49
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
21de49
index 951747b0b37cd62459a241255190baebdf0f728a..7dbe52d57052d3c640df644705fc3e22fab14334 100644
21de49
--- a/ipatests/test_integration/test_upgrade.py
21de49
+++ b/ipatests/test_integration/test_upgrade.py
21de49
@@ -6,6 +6,9 @@
21de49
 Module provides tests to verify that the upgrade script works.
21de49
 """
21de49
 
21de49
+import base64
21de49
+from cryptography.hazmat.primitives import serialization
21de49
+from ipapython.dn import DN
21de49
 from ipatests.test_integration.base import IntegrationTest
21de49
 from ipatests.pytest_plugins.integration import tasks
21de49
 
21de49
@@ -19,3 +22,35 @@ class TestUpgrade(IntegrationTest):
21de49
         cmd = self.master.run_command(['ipa-server-upgrade'],
21de49
                                       raiseonerr=False)
21de49
         assert cmd.returncode == 0
21de49
+
21de49
+    def test_double_encoded_cacert(self):
21de49
+        """Test for BZ 1644874
21de49
+
21de49
+        In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn
21de49
+        could contain a double-encoded cert, which leads to ipa-server-upgrade
21de49
+        failure.
21de49
+        Force a double-encoded value then call upgrade to check the fix.
21de49
+        """
21de49
+        # Read the current entry from LDAP
21de49
+        ldap = self.master.ldap_connect()
21de49
+        basedn = self.master.domain.basedn  # pylint: disable=no-member
21de49
+        dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)
21de49
+        entry = ldap.get_entry(dn)  # pylint: disable=no-member
21de49
+        # Extract the certificate as DER then double-encode
21de49
+        cacert = entry['cacertificate;binary'][0]
21de49
+        cacert_der = cacert.public_bytes(serialization.Encoding.DER)
21de49
+        cacert_b64 = base64.b64encode(cacert_der)
21de49
+        # overwrite the value with double-encoded cert
21de49
+        entry.single_value['cACertificate;binary'] = cacert_b64
21de49
+        ldap.update_entry(entry)  # pylint: disable=no-member
21de49
+
21de49
+        # try the upgrade
21de49
+        self.master.run_command(['ipa-server-upgrade'])
21de49
+
21de49
+        # read the value after upgrade, should be fixed
21de49
+        entry = ldap.get_entry(dn)  # pylint: disable=no-member
21de49
+        try:
21de49
+            _cacert = entry['cacertificate;binary']
21de49
+        except ValueError:
21de49
+            raise AssertionError('%s contains a double-encoded cert'
21de49
+                                 % entry.dn)
21de49
-- 
21de49
2.17.2
21de49