From 57a473bd41fbd3520871dbd7ed7dc9524946a48e Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 29 Nov 2018 15:41:33 +0100 Subject: [PATCH] ipatests: add upgrade test for double-encoded cacert Create a test for upgrade with the following scenario: - install master - write a double-encoded cert in the entry cn=cacert,,cn=ipa,cn=etc,$basedn to simulate bug 7775 - call ipa-server-upgrade - check that the upgrade fixed the value The upgrade should finish successfully and repair the double-encoded cert. Related to https://pagure.io/freeipa/issue/7775 Reviewed-By: Christian Heimes --- ipatests/test_integration/test_upgrade.py | 35 +++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py index 951747b0b37cd62459a241255190baebdf0f728a..7dbe52d57052d3c640df644705fc3e22fab14334 100644 --- a/ipatests/test_integration/test_upgrade.py +++ b/ipatests/test_integration/test_upgrade.py @@ -6,6 +6,9 @@ Module provides tests to verify that the upgrade script works. """ +import base64 +from cryptography.hazmat.primitives import serialization +from ipapython.dn import DN from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_plugins.integration import tasks @@ -19,3 +22,35 @@ class TestUpgrade(IntegrationTest): cmd = self.master.run_command(['ipa-server-upgrade'], raiseonerr=False) assert cmd.returncode == 0 + + def test_double_encoded_cacert(self): + """Test for BZ 1644874 + + In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn + could contain a double-encoded cert, which leads to ipa-server-upgrade + failure. + Force a double-encoded value then call upgrade to check the fix. + """ + # Read the current entry from LDAP + ldap = self.master.ldap_connect() + basedn = self.master.domain.basedn # pylint: disable=no-member + dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn) + entry = ldap.get_entry(dn) # pylint: disable=no-member + # Extract the certificate as DER then double-encode + cacert = entry['cacertificate;binary'][0] + cacert_der = cacert.public_bytes(serialization.Encoding.DER) + cacert_b64 = base64.b64encode(cacert_der) + # overwrite the value with double-encoded cert + entry.single_value['cACertificate;binary'] = cacert_b64 + ldap.update_entry(entry) # pylint: disable=no-member + + # try the upgrade + self.master.run_command(['ipa-server-upgrade']) + + # read the value after upgrade, should be fixed + entry = ldap.get_entry(dn) # pylint: disable=no-member + try: + _cacert = entry['cacertificate;binary'] + except ValueError: + raise AssertionError('%s contains a double-encoded cert' + % entry.dn) -- 2.17.2