# # Copyright (C) 2018 FreeIPA Contributors see COPYING for license # """ Module provides tests to verify that the upgrade script works. """ import base64 from cryptography.hazmat.primitives import serialization from ipapython.dn import DN from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_ipa.integration import tasks class TestUpgrade(IntegrationTest): @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_dns=False) def test_invoke_upgrader(self): cmd = self.master.run_command(['ipa-server-upgrade'], raiseonerr=False) assert ("DN: cn=Schema Compatibility,cn=plugins,cn=config does not \ exists or haven't been updated" not in cmd.stdout_text) assert cmd.returncode == 0 def test_double_encoded_cacert(self): """Test for BZ 1644874 In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn could contain a double-encoded cert, which leads to ipa-server-upgrade failure. Force a double-encoded value then call upgrade to check the fix. """ # Read the current entry from LDAP ldap = self.master.ldap_connect() basedn = self.master.domain.basedn # pylint: disable=no-member dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn) entry = ldap.get_entry(dn) # pylint: disable=no-member # Extract the certificate as DER then double-encode cacert = entry['cacertificate;binary'][0] cacert_der = cacert.public_bytes(serialization.Encoding.DER) cacert_b64 = base64.b64encode(cacert_der) # overwrite the value with double-encoded cert entry.single_value['cACertificate;binary'] = cacert_b64 ldap.update_entry(entry) # pylint: disable=no-member # try the upgrade self.master.run_command(['ipa-server-upgrade']) # reconnect to the master (upgrade stops 389-ds) ldap = self.master.ldap_connect() # read the value after upgrade, should be fixed entry = ldap.get_entry(dn) # pylint: disable=no-member try: _cacert = entry['cacertificate;binary'] except ValueError: raise AssertionError('%s contains a double-encoded cert' % entry.dn)