bb0ded
From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001
bb0ded
From: Mohammad Rizwan <myusuf@redhat.com>
bb0ded
Date: Thu, 25 Nov 2021 13:10:05 +0530
bb0ded
Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to
bb0ded
 segfault
bb0ded
bb0ded
When empty cert request is submitted to certmonger, it goes to
bb0ded
segfault. This fix test that if something like this happens,
bb0ded
certmonger should gracefuly handle it
bb0ded
bb0ded
and some PEP8 fixes
bb0ded
bb0ded
related: https://pagure.io/certmonger/issue/191
bb0ded
bb0ded
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
bb0ded
---
bb0ded
 ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++-
bb0ded
 1 file changed, 78 insertions(+), 1 deletion(-)
bb0ded
bb0ded
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
bb0ded
index 5ffb8c6086328d563084f1d4b73daa1d01d956e7..0518d79545f7592d17571068e2681474bd9e5b14 100644
bb0ded
--- a/ipatests/test_integration/test_cert.py
bb0ded
+++ b/ipatests/test_integration/test_cert.py
bb0ded
@@ -14,6 +14,7 @@ import random
bb0ded
 import re
bb0ded
 import string
bb0ded
 import time
bb0ded
+import textwrap
bb0ded
 
bb0ded
 from ipaplatform.paths import paths
bb0ded
 from ipapython.dn import DN
bb0ded
@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest):
bb0ded
         tasks.kinit_admin(self.master)
bb0ded
         tasks.user_add(self.master, user)
bb0ded
 
bb0ded
-        for id in (0,1):
bb0ded
+        for id in (0, 1):
bb0ded
             csr_file = f'{id}.csr'
bb0ded
             key_file = f'{id}.key'
bb0ded
             cert_file = f'{id}.crt'
bb0ded
@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest):
bb0ded
         error_msg = 'ipa: ERROR: The certificate for ' \
bb0ded
                     '{} is not available on this server.'.format(lwca)
bb0ded
         assert error_msg in result.stderr_text
bb0ded
+
bb0ded
+    def test_certmonger_empty_cert_not_segfault(self):
bb0ded
+        """Test empty cert request doesn't force certmonger to segfault
bb0ded
+
bb0ded
+        Test scenario:
bb0ded
+        create a cert request file in /var/lib/certmonger/requests which is
bb0ded
+        missing most of the required information, and ask request a new
bb0ded
+        certificate to certmonger. The wrong request file should not make
bb0ded
+        certmonger crash.
bb0ded
+
bb0ded
+        related: https://pagure.io/certmonger/issue/191
bb0ded
+        """
bb0ded
+        empty_cert_req_content = textwrap.dedent("""
bb0ded
+        id=dogtag-ipa-renew-agent
bb0ded
+        key_type=UNSPECIFIED
bb0ded
+        key_gen_type=UNSPECIFIED
bb0ded
+        key_size=0
bb0ded
+        key_gen_size=0
bb0ded
+        key_next_type=UNSPECIFIED
bb0ded
+        key_next_gen_type=UNSPECIFIED
bb0ded
+        key_next_size=0
bb0ded
+        key_next_gen_size=0
bb0ded
+        key_preserve=0
bb0ded
+        key_storage_type=NONE
bb0ded
+        key_perms=0
bb0ded
+        key_requested_count=0
bb0ded
+        key_issued_count=0
bb0ded
+        cert_storage_type=FILE
bb0ded
+        cert_perms=0
bb0ded
+        cert_is_ca=0
bb0ded
+        cert_ca_path_length=0
bb0ded
+        cert_no_ocsp_check=0
bb0ded
+        last_need_notify_check=19700101000000
bb0ded
+        last_need_enroll_check=19700101000000
bb0ded
+        template_is_ca=0
bb0ded
+        template_ca_path_length=-1
bb0ded
+        template_no_ocsp_check=0
bb0ded
+        state=NEED_KEY_PAIR
bb0ded
+        autorenew=0
bb0ded
+        monitor=0
bb0ded
+        submitted=19700101000000
bb0ded
+        """)
bb0ded
+        # stop certmonger service
bb0ded
+        self.master.run_command(['systemctl', 'stop', 'certmonger'])
bb0ded
+
bb0ded
+        # place an empty cert request file to certmonger request dir
bb0ded
+        self.master.put_file_contents(
bb0ded
+            os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
bb0ded
+            empty_cert_req_content
bb0ded
+        )
bb0ded
+
bb0ded
+        # start certmonger, it should not fail
bb0ded
+        self.master.run_command(['systemctl', 'start', 'certmonger'])
bb0ded
+
bb0ded
+        # request a new cert, should succeed and certmonger doesn't goes
bb0ded
+        # to segfault
bb0ded
+        result = self.master.run_command([
bb0ded
+            "ipa-getcert", "request",
bb0ded
+            "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),
bb0ded
+            "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),
bb0ded
+        ])
bb0ded
+        request_id = re.findall(r'\d+', result.stdout_text)
bb0ded
+
bb0ded
+        # check if certificate is in MONITORING state
bb0ded
+        status = tasks.wait_for_request(self.master, request_id[0], 50)
bb0ded
+        assert status == "MONITORING"
bb0ded
+
bb0ded
+        self.master.run_command(
bb0ded
+            ['ipa-getcert', 'stop-tracking', '-i', request_id[0]]
bb0ded
+        )
bb0ded
+        self.master.run_command([
bb0ded
+            'rm', '-rf',
bb0ded
+            os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
bb0ded
+            os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'),
bb0ded
+            os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key')
bb0ded
+        ])
bb0ded
-- 
bb0ded
2.34.1
bb0ded