|
 |
a99c7c |
From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001
|
|
|
a99c7c |
From: Mohammad Rizwan <myusuf@redhat.com>
|
|
|
a99c7c |
Date: Thu, 25 Nov 2021 13:10:05 +0530
|
|
|
a99c7c |
Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to
|
|
|
a99c7c |
segfault
|
|
|
a99c7c |
|
|
|
a99c7c |
When empty cert request is submitted to certmonger, it goes to
|
|
|
a99c7c |
segfault. This fix test that if something like this happens,
|
|
|
a99c7c |
certmonger should gracefuly handle it
|
|
|
a99c7c |
|
|
|
a99c7c |
and some PEP8 fixes
|
|
|
a99c7c |
|
|
|
a99c7c |
related: https://pagure.io/certmonger/issue/191
|
|
|
a99c7c |
|
|
|
a99c7c |
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
|
|
a99c7c |
---
|
|
|
a99c7c |
ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++-
|
|
|
a99c7c |
1 file changed, 78 insertions(+), 1 deletion(-)
|
|
|
a99c7c |
|
|
|
a99c7c |
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
|
|
|
a99c7c |
index 5ffb8c6086328d563084f1d4b73daa1d01d956e7..0518d79545f7592d17571068e2681474bd9e5b14 100644
|
|
|
a99c7c |
--- a/ipatests/test_integration/test_cert.py
|
|
|
a99c7c |
+++ b/ipatests/test_integration/test_cert.py
|
|
|
a99c7c |
@@ -14,6 +14,7 @@ import random
|
|
|
a99c7c |
import re
|
|
|
a99c7c |
import string
|
|
|
a99c7c |
import time
|
|
|
a99c7c |
+import textwrap
|
|
|
a99c7c |
|
|
|
a99c7c |
from ipaplatform.paths import paths
|
|
|
a99c7c |
from ipapython.dn import DN
|
|
|
a99c7c |
@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest):
|
|
|
a99c7c |
tasks.kinit_admin(self.master)
|
|
|
a99c7c |
tasks.user_add(self.master, user)
|
|
|
a99c7c |
|
|
|
a99c7c |
- for id in (0,1):
|
|
|
a99c7c |
+ for id in (0, 1):
|
|
|
a99c7c |
csr_file = f'{id}.csr'
|
|
|
a99c7c |
key_file = f'{id}.key'
|
|
|
a99c7c |
cert_file = f'{id}.crt'
|
|
|
a99c7c |
@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest):
|
|
|
a99c7c |
error_msg = 'ipa: ERROR: The certificate for ' \
|
|
|
a99c7c |
'{} is not available on this server.'.format(lwca)
|
|
|
a99c7c |
assert error_msg in result.stderr_text
|
|
|
a99c7c |
+
|
|
|
a99c7c |
+ def test_certmonger_empty_cert_not_segfault(self):
|
|
|
a99c7c |
+ """Test empty cert request doesn't force certmonger to segfault
|
|
|
a99c7c |
+
|
|
|
a99c7c |
+ Test scenario:
|
|
|
a99c7c |
+ create a cert request file in /var/lib/certmonger/requests which is
|
|
|
a99c7c |
+ missing most of the required information, and ask request a new
|
|
|
a99c7c |
+ certificate to certmonger. The wrong request file should not make
|
|
|
a99c7c |
+ certmonger crash.
|
|
|
a99c7c |
+
|
|
|
a99c7c |
+ related: https://pagure.io/certmonger/issue/191
|
|
|
a99c7c |
+ """
|
|
|
a99c7c |
+ empty_cert_req_content = textwrap.dedent("""
|
|
|
a99c7c |
+ id=dogtag-ipa-renew-agent
|
|
|
a99c7c |
+ key_type=UNSPECIFIED
|
|
|
a99c7c |
+ key_gen_type=UNSPECIFIED
|
|
|
a99c7c |
+ key_size=0
|
|
|
a99c7c |
+ key_gen_size=0
|
|
|
a99c7c |
+ key_next_type=UNSPECIFIED
|
|
|
a99c7c |
+ key_next_gen_type=UNSPECIFIED
|
|
|
a99c7c |
+ key_next_size=0
|
|
|
a99c7c |
+ key_next_gen_size=0
|
|
|
a99c7c |
+ key_preserve=0
|
|
|
a99c7c |
+ key_storage_type=NONE
|
|
|
a99c7c |
+ key_perms=0
|
|
|
a99c7c |
+ key_requested_count=0
|
|
|
a99c7c |
+ key_issued_count=0
|
|
|
a99c7c |
+ cert_storage_type=FILE
|
|
|
a99c7c |
+ cert_perms=0
|
|
|
a99c7c |
+ cert_is_ca=0
|
|
|
a99c7c |
+ cert_ca_path_length=0
|
|
|
a99c7c |
+ cert_no_ocsp_check=0
|
|
|
a99c7c |
+ last_need_notify_check=19700101000000
|
|
|
a99c7c |
+ last_need_enroll_check=19700101000000
|
|
|
a99c7c |
+ template_is_ca=0
|
|
|
a99c7c |
+ template_ca_path_length=-1
|
|
|
a99c7c |
+ template_no_ocsp_check=0
|
|
|
a99c7c |
+ state=NEED_KEY_PAIR
|
|
|
a99c7c |
+ autorenew=0
|
|
|
a99c7c |
+ monitor=0
|
|
|
a99c7c |
+ submitted=19700101000000
|
|
|
a99c7c |
+ """)
|
|
|
a99c7c |
+ # stop certmonger service
|
|
|
a99c7c |
+ self.master.run_command(['systemctl', 'stop', 'certmonger'])
|
|
|
a99c7c |
+
|
|
|
a99c7c |
+ # place an empty cert request file to certmonger request dir
|
|
|
a99c7c |
+ self.master.put_file_contents(
|
|
|
a99c7c |
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
|
|
|
a99c7c |
+ empty_cert_req_content
|
|
|
a99c7c |
+ )
|
|
|
a99c7c |
+
|
|
|
a99c7c |
+ # start certmonger, it should not fail
|
|
|
a99c7c |
+ self.master.run_command(['systemctl', 'start', 'certmonger'])
|
|
|
a99c7c |
+
|
|
|
a99c7c |
+ # request a new cert, should succeed and certmonger doesn't goes
|
|
|
a99c7c |
+ # to segfault
|
|
|
a99c7c |
+ result = self.master.run_command([
|
|
|
a99c7c |
+ "ipa-getcert", "request",
|
|
|
a99c7c |
+ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),
|
|
|
a99c7c |
+ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),
|
|
|
a99c7c |
+ ])
|
|
|
a99c7c |
+ request_id = re.findall(r'\d+', result.stdout_text)
|
|
|
a99c7c |
+
|
|
|
a99c7c |
+ # check if certificate is in MONITORING state
|
|
|
a99c7c |
+ status = tasks.wait_for_request(self.master, request_id[0], 50)
|
|
|
a99c7c |
+ assert status == "MONITORING"
|
|
|
a99c7c |
+
|
|
|
a99c7c |
+ self.master.run_command(
|
|
|
a99c7c |
+ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]]
|
|
|
a99c7c |
+ )
|
|
|
a99c7c |
+ self.master.run_command([
|
|
|
a99c7c |
+ 'rm', '-rf',
|
|
|
a99c7c |
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
|
|
|
a99c7c |
+ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'),
|
|
|
a99c7c |
+ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key')
|
|
|
a99c7c |
+ ])
|
|
|
a99c7c |
--
|
|
|
a99c7c |
2.34.1
|
|
|
a99c7c |
|