|
|
b01884 |
From 8ee3779ded64ff55c3981fb8c2db50cdcd3abc5b Mon Sep 17 00:00:00 2001
|
|
|
b01884 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
b01884 |
Date: Nov 30 2018 14:20:59 +0000
|
|
|
b01884 |
Subject: ipa upgrade: handle double-encoded certificates
|
|
|
b01884 |
|
|
|
b01884 |
|
|
|
b01884 |
Issue is linked to the ticket
|
|
|
b01884 |
#3477 LDAP upload CA cert sometimes double-encodes the value
|
|
|
b01884 |
In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice
|
|
|
b01884 |
the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.
|
|
|
b01884 |
|
|
|
b01884 |
The fix for 3477 is only partial as it prevents double-encoding when a
|
|
|
b01884 |
new cert is uploaded but does not fix wrong values already present in LDAP.
|
|
|
b01884 |
|
|
|
b01884 |
With this commit, the code first tries to read a der cert. If it fails,
|
|
|
b01884 |
it logs a debug message and re-writes the value caCertificate;binary
|
|
|
b01884 |
to repair the entry.
|
|
|
b01884 |
|
|
|
b01884 |
Fixes https://pagure.io/freeipa/issue/7775
|
|
|
b01884 |
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
b01884 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
b01884 |
|
|
|
b01884 |
---
|
|
|
b01884 |
|
|
|
b01884 |
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
|
|
|
b01884 |
index 85c67e7..763da1e 100644
|
|
|
b01884 |
--- a/ipaserver/install/plugins/upload_cacrt.py
|
|
|
b01884 |
+++ b/ipaserver/install/plugins/upload_cacrt.py
|
|
|
b01884 |
@@ -115,7 +115,18 @@ class update_upload_cacrt(Updater):
|
|
|
b01884 |
entry.single_value['cACertificate;binary'] = ca_cert
|
|
|
b01884 |
ldap.add_entry(entry)
|
|
|
b01884 |
else:
|
|
|
b01884 |
- if b'' in entry['cACertificate;binary']:
|
|
|
b01884 |
+ force_write = False
|
|
|
b01884 |
+ try:
|
|
|
b01884 |
+ _cert_bin = entry['cACertificate;binary']
|
|
|
b01884 |
+ except ValueError:
|
|
|
b01884 |
+ # BZ 1644874
|
|
|
b01884 |
+ # sometimes the cert is badly stored, twice encoded
|
|
|
b01884 |
+ # force write to fix the value
|
|
|
b01884 |
+ logger.debug('Fixing the value of cACertificate;binary '
|
|
|
b01884 |
+ 'in entry %s', entry.dn)
|
|
|
b01884 |
+ force_write = True
|
|
|
b01884 |
+
|
|
|
b01884 |
+ if force_write or b'' in entry['cACertificate;binary']:
|
|
|
b01884 |
entry.single_value['cACertificate;binary'] = ca_cert
|
|
|
b01884 |
ldap.update_entry(entry)
|
|
|
b01884 |
|
|
|
b01884 |
|
|
|
b01884 |
From 2b0f3a1abb9067a0a5ba8e59762bc41dc51608e2 Mon Sep 17 00:00:00 2001
|
|
|
b01884 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
b01884 |
Date: Nov 30 2018 14:20:59 +0000
|
|
|
b01884 |
Subject: ipatests: add upgrade test for double-encoded cacert
|
|
|
b01884 |
|
|
|
b01884 |
|
|
|
b01884 |
Create a test for upgrade with the following scenario:
|
|
|
b01884 |
- install master
|
|
|
b01884 |
- write a double-encoded cert in the entry
|
|
|
b01884 |
cn=cacert,,cn=ipa,cn=etc,$basedn
|
|
|
b01884 |
to simulate bug 7775
|
|
|
b01884 |
- call ipa-server-upgrade
|
|
|
b01884 |
- check that the upgrade fixed the value
|
|
|
b01884 |
|
|
|
b01884 |
The upgrade should finish successfully and repair
|
|
|
b01884 |
the double-encoded cert.
|
|
|
b01884 |
|
|
|
b01884 |
Related to https://pagure.io/freeipa/issue/7775
|
|
|
b01884 |
|
|
|
b01884 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
b01884 |
|
|
|
b01884 |
---
|
|
|
b01884 |
|
|
|
b01884 |
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
|
|
|
b01884 |
index cbf5f39..e0175bc 100644
|
|
|
b01884 |
--- a/ipatests/test_integration/test_upgrade.py
|
|
|
b01884 |
+++ b/ipatests/test_integration/test_upgrade.py
|
|
|
b01884 |
@@ -6,6 +6,9 @@
|
|
|
b01884 |
Module provides tests to verify that the upgrade script works.
|
|
|
b01884 |
"""
|
|
|
b01884 |
|
|
|
b01884 |
+import base64
|
|
|
b01884 |
+from cryptography.hazmat.primitives import serialization
|
|
|
b01884 |
+from ipapython.dn import DN
|
|
|
b01884 |
from ipatests.test_integration.base import IntegrationTest
|
|
|
b01884 |
from ipatests.pytest_ipa.integration import tasks
|
|
|
b01884 |
|
|
|
b01884 |
@@ -21,3 +24,35 @@ class TestUpgrade(IntegrationTest):
|
|
|
b01884 |
assert ("DN: cn=Schema Compatibility,cn=plugins,cn=config does not \
|
|
|
b01884 |
exists or haven't been updated" not in cmd.stdout_text)
|
|
|
b01884 |
assert cmd.returncode == 0
|
|
|
b01884 |
+
|
|
|
b01884 |
+ def test_double_encoded_cacert(self):
|
|
|
b01884 |
+ """Test for BZ 1644874
|
|
|
b01884 |
+
|
|
|
b01884 |
+ In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn
|
|
|
b01884 |
+ could contain a double-encoded cert, which leads to ipa-server-upgrade
|
|
|
b01884 |
+ failure.
|
|
|
b01884 |
+ Force a double-encoded value then call upgrade to check the fix.
|
|
|
b01884 |
+ """
|
|
|
b01884 |
+ # Read the current entry from LDAP
|
|
|
b01884 |
+ ldap = self.master.ldap_connect()
|
|
|
b01884 |
+ basedn = self.master.domain.basedn # pylint: disable=no-member
|
|
|
b01884 |
+ dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)
|
|
|
b01884 |
+ entry = ldap.get_entry(dn) # pylint: disable=no-member
|
|
|
b01884 |
+ # Extract the certificate as DER then double-encode
|
|
|
b01884 |
+ cacert = entry['cacertificate;binary'][0]
|
|
|
b01884 |
+ cacert_der = cacert.public_bytes(serialization.Encoding.DER)
|
|
|
b01884 |
+ cacert_b64 = base64.b64encode(cacert_der)
|
|
|
b01884 |
+ # overwrite the value with double-encoded cert
|
|
|
b01884 |
+ entry.single_value['cACertificate;binary'] = cacert_b64
|
|
|
b01884 |
+ ldap.update_entry(entry) # pylint: disable=no-member
|
|
|
b01884 |
+
|
|
|
b01884 |
+ # try the upgrade
|
|
|
b01884 |
+ self.master.run_command(['ipa-server-upgrade'])
|
|
|
b01884 |
+
|
|
|
b01884 |
+ # read the value after upgrade, should be fixed
|
|
|
b01884 |
+ entry = ldap.get_entry(dn) # pylint: disable=no-member
|
|
|
b01884 |
+ try:
|
|
|
b01884 |
+ _cacert = entry['cacertificate;binary']
|
|
|
b01884 |
+ except ValueError:
|
|
|
b01884 |
+ raise AssertionError('%s contains a double-encoded cert'
|
|
|
b01884 |
+ % entry.dn)
|
|
|
b01884 |
|
|
|
b01884 |
From 2a299c786f93e67446d5fd227fe14884b4e0d293 Mon Sep 17 00:00:00 2001
|
|
|
b01884 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
b01884 |
Date: Dec 06 2018 10:37:26 +0000
|
|
|
b01884 |
Subject: ipatests: fix TestUpgrade::test_double_encoded_cacert
|
|
|
b01884 |
|
|
|
b01884 |
|
|
|
b01884 |
The test is using a stale ldap connection to the master
|
|
|
b01884 |
(obtained before calling upgrade, and the upgrade stops
|
|
|
b01884 |
and starts 389-ds, breaking the connection).
|
|
|
b01884 |
|
|
|
b01884 |
The fix re-connects before using the ldap handle.
|
|
|
b01884 |
|
|
|
b01884 |
Related to https://pagure.io/freeipa/issue/7775
|
|
|
b01884 |
|
|
|
b01884 |
---
|
|
|
b01884 |
|
|
|
b01884 |
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
|
|
|
b01884 |
index e0175bc..5cc890e 100644
|
|
|
b01884 |
--- a/ipatests/test_integration/test_upgrade.py
|
|
|
b01884 |
+++ b/ipatests/test_integration/test_upgrade.py
|
|
|
b01884 |
@@ -49,6 +49,8 @@ class TestUpgrade(IntegrationTest):
|
|
|
b01884 |
# try the upgrade
|
|
|
b01884 |
self.master.run_command(['ipa-server-upgrade'])
|
|
|
b01884 |
|
|
|
b01884 |
+ # reconnect to the master (upgrade stops 389-ds)
|
|
|
b01884 |
+ ldap = self.master.ldap_connect()
|
|
|
b01884 |
# read the value after upgrade, should be fixed
|
|
|
b01884 |
entry = ldap.get_entry(dn) # pylint: disable=no-member
|
|
|
b01884 |
try:
|
|
|
b01884 |
|