Blame SOURCES/0018-ipa_upgrade_handle_double-encoded_certificates_rhbz#1658310.patch

6d47df
From 8ee3779ded64ff55c3981fb8c2db50cdcd3abc5b Mon Sep 17 00:00:00 2001
6d47df
From: Florence Blanc-Renaud <flo@redhat.com>
6d47df
Date: Nov 30 2018 14:20:59 +0000
6d47df
Subject: ipa upgrade: handle double-encoded certificates
6d47df
6d47df
6d47df
Issue is linked to the ticket
6d47df
 #3477 LDAP upload CA cert sometimes double-encodes the value
6d47df
In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice
6d47df
the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.
6d47df
6d47df
The fix for 3477 is only partial as it prevents double-encoding when a
6d47df
new cert is uploaded but does not fix wrong values already present in LDAP.
6d47df
6d47df
With this commit, the code first tries to read a der cert. If it fails,
6d47df
it logs a debug message and re-writes the value caCertificate;binary
6d47df
to repair the entry.
6d47df
6d47df
Fixes https://pagure.io/freeipa/issue/7775
6d47df
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
6d47df
Reviewed-By: Christian Heimes <cheimes@redhat.com>
6d47df
6d47df
---
6d47df
6d47df
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
6d47df
index 85c67e7..763da1e 100644
6d47df
--- a/ipaserver/install/plugins/upload_cacrt.py
6d47df
+++ b/ipaserver/install/plugins/upload_cacrt.py
6d47df
@@ -115,7 +115,18 @@ class update_upload_cacrt(Updater):
6d47df
                 entry.single_value['cACertificate;binary'] = ca_cert
6d47df
                 ldap.add_entry(entry)
6d47df
             else:
6d47df
-                if b'' in entry['cACertificate;binary']:
6d47df
+                force_write = False
6d47df
+                try:
6d47df
+                    _cert_bin = entry['cACertificate;binary']
6d47df
+                except ValueError:
6d47df
+                    # BZ 1644874
6d47df
+                    # sometimes the cert is badly stored, twice encoded
6d47df
+                    # force write to fix the value
6d47df
+                    logger.debug('Fixing the value of cACertificate;binary '
6d47df
+                                 'in entry %s', entry.dn)
6d47df
+                    force_write = True
6d47df
+
6d47df
+                if force_write or b'' in entry['cACertificate;binary']:
6d47df
                     entry.single_value['cACertificate;binary'] = ca_cert
6d47df
                     ldap.update_entry(entry)
6d47df
 
6d47df
6d47df
From 2b0f3a1abb9067a0a5ba8e59762bc41dc51608e2 Mon Sep 17 00:00:00 2001
6d47df
From: Florence Blanc-Renaud <flo@redhat.com>
6d47df
Date: Nov 30 2018 14:20:59 +0000
6d47df
Subject: ipatests: add upgrade test for double-encoded cacert
6d47df
6d47df
6d47df
Create a test for upgrade with the following scenario:
6d47df
- install master
6d47df
- write a double-encoded cert in the entry
6d47df
cn=cacert,,cn=ipa,cn=etc,$basedn
6d47df
to simulate bug 7775
6d47df
- call ipa-server-upgrade
6d47df
- check that the upgrade fixed the value
6d47df
6d47df
The upgrade should finish successfully and repair
6d47df
the double-encoded cert.
6d47df
6d47df
Related to https://pagure.io/freeipa/issue/7775
6d47df
6d47df
Reviewed-By: Christian Heimes <cheimes@redhat.com>
6d47df
6d47df
---
6d47df
6d47df
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
6d47df
index cbf5f39..e0175bc 100644
6d47df
--- a/ipatests/test_integration/test_upgrade.py
6d47df
+++ b/ipatests/test_integration/test_upgrade.py
6d47df
@@ -6,6 +6,9 @@
6d47df
 Module provides tests to verify that the upgrade script works.
6d47df
 """
6d47df
 
6d47df
+import base64
6d47df
+from cryptography.hazmat.primitives import serialization
6d47df
+from ipapython.dn import DN
6d47df
 from ipatests.test_integration.base import IntegrationTest
6d47df
 from ipatests.pytest_ipa.integration import tasks
6d47df
 
6d47df
@@ -21,3 +24,35 @@ class TestUpgrade(IntegrationTest):
6d47df
         assert ("DN: cn=Schema Compatibility,cn=plugins,cn=config does not \
6d47df
                 exists or haven't been updated" not in cmd.stdout_text)
6d47df
         assert cmd.returncode == 0
6d47df
+
6d47df
+    def test_double_encoded_cacert(self):
6d47df
+        """Test for BZ 1644874
6d47df
+
6d47df
+        In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn
6d47df
+        could contain a double-encoded cert, which leads to ipa-server-upgrade
6d47df
+        failure.
6d47df
+        Force a double-encoded value then call upgrade to check the fix.
6d47df
+        """
6d47df
+        # Read the current entry from LDAP
6d47df
+        ldap = self.master.ldap_connect()
6d47df
+        basedn = self.master.domain.basedn  # pylint: disable=no-member
6d47df
+        dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)
6d47df
+        entry = ldap.get_entry(dn)  # pylint: disable=no-member
6d47df
+        # Extract the certificate as DER then double-encode
6d47df
+        cacert = entry['cacertificate;binary'][0]
6d47df
+        cacert_der = cacert.public_bytes(serialization.Encoding.DER)
6d47df
+        cacert_b64 = base64.b64encode(cacert_der)
6d47df
+        # overwrite the value with double-encoded cert
6d47df
+        entry.single_value['cACertificate;binary'] = cacert_b64
6d47df
+        ldap.update_entry(entry)  # pylint: disable=no-member
6d47df
+
6d47df
+        # try the upgrade
6d47df
+        self.master.run_command(['ipa-server-upgrade'])
6d47df
+
6d47df
+        # read the value after upgrade, should be fixed
6d47df
+        entry = ldap.get_entry(dn)  # pylint: disable=no-member
6d47df
+        try:
6d47df
+            _cacert = entry['cacertificate;binary']
6d47df
+        except ValueError:
6d47df
+            raise AssertionError('%s contains a double-encoded cert'
6d47df
+                                 % entry.dn)
6d47df
6d47df
From 2a299c786f93e67446d5fd227fe14884b4e0d293 Mon Sep 17 00:00:00 2001
6d47df
From: Florence Blanc-Renaud <flo@redhat.com>
6d47df
Date: Dec 06 2018 10:37:26 +0000
6d47df
Subject: ipatests: fix TestUpgrade::test_double_encoded_cacert
6d47df
6d47df
6d47df
The test is using a stale ldap connection to the master
6d47df
(obtained before calling upgrade, and the upgrade stops
6d47df
and starts 389-ds, breaking the connection).
6d47df
6d47df
The fix re-connects before using the ldap handle.
6d47df
6d47df
Related to https://pagure.io/freeipa/issue/7775
6d47df
6d47df
---
6d47df
6d47df
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
6d47df
index e0175bc..5cc890e 100644
6d47df
--- a/ipatests/test_integration/test_upgrade.py
6d47df
+++ b/ipatests/test_integration/test_upgrade.py
6d47df
@@ -49,6 +49,8 @@ class TestUpgrade(IntegrationTest):
6d47df
         # try the upgrade
6d47df
         self.master.run_command(['ipa-server-upgrade'])
6d47df
 
6d47df
+        # reconnect to the master (upgrade stops 389-ds)
6d47df
+        ldap = self.master.ldap_connect()
6d47df
         # read the value after upgrade, should be fixed
6d47df
         entry = ldap.get_entry(dn)  # pylint: disable=no-member
6d47df
         try:
6d47df