|
 |
ad1545 |
From 57a473bd41fbd3520871dbd7ed7dc9524946a48e Mon Sep 17 00:00:00 2001
|
|
|
ad1545 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
ad1545 |
Date: Thu, 29 Nov 2018 15:41:33 +0100
|
|
|
ad1545 |
Subject: [PATCH] ipatests: add upgrade test for double-encoded cacert
|
|
|
ad1545 |
|
|
|
ad1545 |
Create a test for upgrade with the following scenario:
|
|
|
ad1545 |
- install master
|
|
|
ad1545 |
- write a double-encoded cert in the entry
|
|
|
ad1545 |
cn=cacert,,cn=ipa,cn=etc,$basedn
|
|
|
ad1545 |
to simulate bug 7775
|
|
|
ad1545 |
- call ipa-server-upgrade
|
|
|
ad1545 |
- check that the upgrade fixed the value
|
|
|
ad1545 |
|
|
|
ad1545 |
The upgrade should finish successfully and repair
|
|
|
ad1545 |
the double-encoded cert.
|
|
|
ad1545 |
|
|
|
ad1545 |
Related to https://pagure.io/freeipa/issue/7775
|
|
|
ad1545 |
|
|
|
ad1545 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
ad1545 |
---
|
|
|
ad1545 |
ipatests/test_integration/test_upgrade.py | 35 +++++++++++++++++++++++
|
|
|
ad1545 |
1 file changed, 35 insertions(+)
|
|
|
ad1545 |
|
|
|
ad1545 |
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
|
|
|
ad1545 |
index 951747b0b37cd62459a241255190baebdf0f728a..7dbe52d57052d3c640df644705fc3e22fab14334 100644
|
|
|
ad1545 |
--- a/ipatests/test_integration/test_upgrade.py
|
|
|
ad1545 |
+++ b/ipatests/test_integration/test_upgrade.py
|
|
|
ad1545 |
@@ -6,6 +6,9 @@
|
|
|
ad1545 |
Module provides tests to verify that the upgrade script works.
|
|
|
ad1545 |
"""
|
|
|
ad1545 |
|
|
|
ad1545 |
+import base64
|
|
|
ad1545 |
+from cryptography.hazmat.primitives import serialization
|
|
|
ad1545 |
+from ipapython.dn import DN
|
|
|
ad1545 |
from ipatests.test_integration.base import IntegrationTest
|
|
|
ad1545 |
from ipatests.pytest_plugins.integration import tasks
|
|
|
ad1545 |
|
|
|
ad1545 |
@@ -19,3 +22,35 @@ class TestUpgrade(IntegrationTest):
|
|
|
ad1545 |
cmd = self.master.run_command(['ipa-server-upgrade'],
|
|
|
ad1545 |
raiseonerr=False)
|
|
|
ad1545 |
assert cmd.returncode == 0
|
|
|
ad1545 |
+
|
|
|
ad1545 |
+ def test_double_encoded_cacert(self):
|
|
|
ad1545 |
+ """Test for BZ 1644874
|
|
|
ad1545 |
+
|
|
|
ad1545 |
+ In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn
|
|
|
ad1545 |
+ could contain a double-encoded cert, which leads to ipa-server-upgrade
|
|
|
ad1545 |
+ failure.
|
|
|
ad1545 |
+ Force a double-encoded value then call upgrade to check the fix.
|
|
|
ad1545 |
+ """
|
|
|
ad1545 |
+ # Read the current entry from LDAP
|
|
|
ad1545 |
+ ldap = self.master.ldap_connect()
|
|
|
ad1545 |
+ basedn = self.master.domain.basedn # pylint: disable=no-member
|
|
|
ad1545 |
+ dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)
|
|
|
ad1545 |
+ entry = ldap.get_entry(dn) # pylint: disable=no-member
|
|
|
ad1545 |
+ # Extract the certificate as DER then double-encode
|
|
|
ad1545 |
+ cacert = entry['cacertificate;binary'][0]
|
|
|
ad1545 |
+ cacert_der = cacert.public_bytes(serialization.Encoding.DER)
|
|
|
ad1545 |
+ cacert_b64 = base64.b64encode(cacert_der)
|
|
|
ad1545 |
+ # overwrite the value with double-encoded cert
|
|
|
ad1545 |
+ entry.single_value['cACertificate;binary'] = cacert_b64
|
|
|
ad1545 |
+ ldap.update_entry(entry) # pylint: disable=no-member
|
|
|
ad1545 |
+
|
|
|
ad1545 |
+ # try the upgrade
|
|
|
ad1545 |
+ self.master.run_command(['ipa-server-upgrade'])
|
|
|
ad1545 |
+
|
|
|
ad1545 |
+ # read the value after upgrade, should be fixed
|
|
|
ad1545 |
+ entry = ldap.get_entry(dn) # pylint: disable=no-member
|
|
|
ad1545 |
+ try:
|
|
|
ad1545 |
+ _cacert = entry['cacertificate;binary']
|
|
|
ad1545 |
+ except ValueError:
|
|
|
ad1545 |
+ raise AssertionError('%s contains a double-encoded cert'
|
|
|
ad1545 |
+ % entry.dn)
|
|
|
ad1545 |
--
|
|
|
ad1545 |
2.17.2
|
|
|
ad1545 |
|