freeipa/ipatests/test_integration/test_upgrade.py

#
# Copyright (C) 2018  FreeIPA Contributors see COPYING for license
#

"""
Module provides tests to verify that the upgrade script works.
"""

import base64
from cryptography.hazmat.primitives import serialization
from ipapython.dn import DN
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks


class TestUpgrade(IntegrationTest):
    """
    Test ipa-server-upgrade.

    Note that ipa-server-upgrade on a CA-less installation is tested
    in ``test_caless.TestIPACommands.test_invoke_upgrader``.

    """
    @classmethod
    def install(cls, mh):
        tasks.install_master(cls.master, setup_dns=False)

    def test_invoke_upgrader(self):
        cmd = self.master.run_command(['ipa-server-upgrade'],
                                      raiseonerr=False)
        assert ("DN: cn=Schema Compatibility,cn=plugins,cn=config does not \
                exists or haven't been updated" not in cmd.stdout_text)
        assert cmd.returncode == 0

    def test_double_encoded_cacert(self):
        """Test for BZ 1644874

        In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn
        could contain a double-encoded cert, which leads to ipa-server-upgrade
        failure.
        Force a double-encoded value then call upgrade to check the fix.
        """
        # Read the current entry from LDAP
        ldap = self.master.ldap_connect()
        basedn = self.master.domain.basedn  # pylint: disable=no-member
        dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)
        entry = ldap.get_entry(dn)  # pylint: disable=no-member
        # Extract the certificate as DER then double-encode
        cacert = entry['cacertificate;binary'][0]
        cacert_der = cacert.public_bytes(serialization.Encoding.DER)
        cacert_b64 = base64.b64encode(cacert_der)
        # overwrite the value with double-encoded cert
        entry.single_value['cACertificate;binary'] = cacert_b64
        ldap.update_entry(entry)  # pylint: disable=no-member

        # try the upgrade
        self.master.run_command(['ipa-server-upgrade'])

        # reconnect to the master (upgrade stops 389-ds)
        ldap = self.master.ldap_connect()
        # read the value after upgrade, should be fixed
        entry = ldap.get_entry(dn)  # pylint: disable=no-member
        try:
            _cacert = entry['cacertificate;binary']
        except ValueError:
            raise AssertionError('%s contains a double-encoded cert'
                                 % entry.dn)
Fix detection of KRA installation so upgrades can succeed Use is_installed() instead of is_configured() because is_installed() does a config file check to see if the service is in use. https://pagure.io/freeipa/issue/7389 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 2018-02-04 10:40:24 -06:00			`#`
			`# Copyright (C) 2018 FreeIPA Contributors see COPYING for license`
			`#`

			`"""`
			`Module provides tests to verify that the upgrade script works.`
			`"""`

ipatests: add upgrade test for double-encoded cacert Create a test for upgrade with the following scenario: - install master - write a double-encoded cert in the entry cn=cacert,,cn=ipa,cn=etc,$basedn to simulate bug 7775 - call ipa-server-upgrade - check that the upgrade fixed the value The upgrade should finish successfully and repair the double-encoded cert. Related to https://pagure.io/freeipa/issue/7775 Reviewed-By: Christian Heimes <cheimes@redhat.com> 2018-11-29 08:41:33 -06:00			`import base64`
			`from cryptography.hazmat.primitives import serialization`
			`from ipapython.dn import DN`
Fix detection of KRA installation so upgrades can succeed Use is_installed() instead of is_configured() because is_installed() does a config file check to see if the service is in use. https://pagure.io/freeipa/issue/7389 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 2018-02-04 10:40:24 -06:00			`from ipatests.test_integration.base import IntegrationTest`
Rename pytest_plugins to ipatests.pytest_ipa pytest 3.7.0 doesn't like ipatests.pytest_plugins package. The string "pytest_plugins" is used as marker to load plugins. By populare vote and to avoid future conflicts, we decided to rename the directory to pytest_ipa. Fixes: https://pagure.io/freeipa/issue/7663 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-08-02 06:45:19 -05:00			`from ipatests.pytest_ipa.integration import tasks`
Fix detection of KRA installation so upgrades can succeed Use is_installed() instead of is_configured() because is_installed() does a config file check to see if the service is in use. https://pagure.io/freeipa/issue/7389 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 2018-02-04 10:40:24 -06:00

			`class TestUpgrade(IntegrationTest):`
ipatests: test ipa-server-upgrade in CA-less deployment Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2019-06-27 03:57:02 -05:00			`"""`
			`Test ipa-server-upgrade.`

			`Note that ipa-server-upgrade on a CA-less installation is tested`
			in ``test_caless.TestIPACommands.test_invoke_upgrader``.

			`"""`
Fix detection of KRA installation so upgrades can succeed Use is_installed() instead of is_configured() because is_installed() does a config file check to see if the service is in use. https://pagure.io/freeipa/issue/7389 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 2018-02-04 10:40:24 -06:00			`@classmethod`
			`def install(cls, mh):`
			`tasks.install_master(cls.master, setup_dns=False)`

			`def test_invoke_upgrader(self):`
			`cmd = self.master.run_command(['ipa-server-upgrade'],`
			`raiseonerr=False)`
Add assert to check output of upgrade Ckeck the output of ipa-server-upgrade script for error. Related to: https://pagure.io/freeipa/issue/7644 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2018-08-09 03:43:26 -05:00			`assert ("DN: cn=Schema Compatibility,cn=plugins,cn=config does not \`
			`exists or haven't been updated" not in cmd.stdout_text)`
Fix detection of KRA installation so upgrades can succeed Use is_installed() instead of is_configured() because is_installed() does a config file check to see if the service is in use. https://pagure.io/freeipa/issue/7389 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 2018-02-04 10:40:24 -06:00			`assert cmd.returncode == 0`
ipatests: add upgrade test for double-encoded cacert Create a test for upgrade with the following scenario: - install master - write a double-encoded cert in the entry cn=cacert,,cn=ipa,cn=etc,$basedn to simulate bug 7775 - call ipa-server-upgrade - check that the upgrade fixed the value The upgrade should finish successfully and repair the double-encoded cert. Related to https://pagure.io/freeipa/issue/7775 Reviewed-By: Christian Heimes <cheimes@redhat.com> 2018-11-29 08:41:33 -06:00
			`def test_double_encoded_cacert(self):`
			`"""Test for BZ 1644874`

			`In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn`
			`could contain a double-encoded cert, which leads to ipa-server-upgrade`
			`failure.`
			`Force a double-encoded value then call upgrade to check the fix.`
			`"""`
			`# Read the current entry from LDAP`
			`ldap = self.master.ldap_connect()`
			`basedn = self.master.domain.basedn # pylint: disable=no-member`
			`dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)`
			`entry = ldap.get_entry(dn) # pylint: disable=no-member`
			`# Extract the certificate as DER then double-encode`
			`cacert = entry['cacertificate;binary'][0]`
			`cacert_der = cacert.public_bytes(serialization.Encoding.DER)`
			`cacert_b64 = base64.b64encode(cacert_der)`
			`# overwrite the value with double-encoded cert`
			`entry.single_value['cACertificate;binary'] = cacert_b64`
			`ldap.update_entry(entry) # pylint: disable=no-member`

			`# try the upgrade`
			`self.master.run_command(['ipa-server-upgrade'])`

ipatests: fix TestUpgrade::test_double_encoded_cacert The test is using a stale ldap connection to the master (obtained before calling upgrade, and the upgrade stops and starts 389-ds, breaking the connection). The fix re-connects before using the ldap handle. Related to https://pagure.io/freeipa/issue/7775 Reviewed-By: Thomas Woerner <twoerner@redhat.com> 2018-12-04 09:44:54 -06:00			`# reconnect to the master (upgrade stops 389-ds)`
			`ldap = self.master.ldap_connect()`
ipatests: add upgrade test for double-encoded cacert Create a test for upgrade with the following scenario: - install master - write a double-encoded cert in the entry cn=cacert,,cn=ipa,cn=etc,$basedn to simulate bug 7775 - call ipa-server-upgrade - check that the upgrade fixed the value The upgrade should finish successfully and repair the double-encoded cert. Related to https://pagure.io/freeipa/issue/7775 Reviewed-By: Christian Heimes <cheimes@redhat.com> 2018-11-29 08:41:33 -06:00			`# read the value after upgrade, should be fixed`
			`entry = ldap.get_entry(dn) # pylint: disable=no-member`
			`try:`
			`_cacert = entry['cacertificate;binary']`
			`except ValueError:`
			`raise AssertionError('%s contains a double-encoded cert'`
			`% entry.dn)`