mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-26 08:51:50 -06:00
4a938adca2
The test is using a stale ldap connection to the master (obtained before calling upgrade, and the upgrade stops and starts 389-ds, breaking the connection). The fix re-connects before using the ldap handle. Related to https://pagure.io/freeipa/issue/7775 Reviewed-By: Thomas Woerner <twoerner@redhat.com>
61 lines
2.3 KiB
Python
61 lines
2.3 KiB
Python
#
|
|
# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
"""
|
|
Module provides tests to verify that the upgrade script works.
|
|
"""
|
|
|
|
import base64
|
|
from cryptography.hazmat.primitives import serialization
|
|
from ipapython.dn import DN
|
|
from ipatests.test_integration.base import IntegrationTest
|
|
from ipatests.pytest_ipa.integration import tasks
|
|
|
|
|
|
class TestUpgrade(IntegrationTest):
|
|
@classmethod
|
|
def install(cls, mh):
|
|
tasks.install_master(cls.master, setup_dns=False)
|
|
|
|
def test_invoke_upgrader(self):
|
|
cmd = self.master.run_command(['ipa-server-upgrade'],
|
|
raiseonerr=False)
|
|
assert ("DN: cn=Schema Compatibility,cn=plugins,cn=config does not \
|
|
exists or haven't been updated" not in cmd.stdout_text)
|
|
assert cmd.returncode == 0
|
|
|
|
def test_double_encoded_cacert(self):
|
|
"""Test for BZ 1644874
|
|
|
|
In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn
|
|
could contain a double-encoded cert, which leads to ipa-server-upgrade
|
|
failure.
|
|
Force a double-encoded value then call upgrade to check the fix.
|
|
"""
|
|
# Read the current entry from LDAP
|
|
ldap = self.master.ldap_connect()
|
|
basedn = self.master.domain.basedn # pylint: disable=no-member
|
|
dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)
|
|
entry = ldap.get_entry(dn) # pylint: disable=no-member
|
|
# Extract the certificate as DER then double-encode
|
|
cacert = entry['cacertificate;binary'][0]
|
|
cacert_der = cacert.public_bytes(serialization.Encoding.DER)
|
|
cacert_b64 = base64.b64encode(cacert_der)
|
|
# overwrite the value with double-encoded cert
|
|
entry.single_value['cACertificate;binary'] = cacert_b64
|
|
ldap.update_entry(entry) # pylint: disable=no-member
|
|
|
|
# try the upgrade
|
|
self.master.run_command(['ipa-server-upgrade'])
|
|
|
|
# reconnect to the master (upgrade stops 389-ds)
|
|
ldap = self.master.ldap_connect()
|
|
# read the value after upgrade, should be fixed
|
|
entry = ldap.get_entry(dn) # pylint: disable=no-member
|
|
try:
|
|
_cacert = entry['cacertificate;binary']
|
|
except ValueError:
|
|
raise AssertionError('%s contains a double-encoded cert'
|
|
% entry.dn)
|