freeipa/ipatests/test_integration/test_upgrade.py
Fraser Tweedale 65d9a9be52 ipatests: test ipa-server-upgrade in CA-less deployment
Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00

68 lines
2.5 KiB
Python

#
# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
#
"""
Module provides tests to verify that the upgrade script works.
"""
import base64
from cryptography.hazmat.primitives import serialization
from ipapython.dn import DN
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
class TestUpgrade(IntegrationTest):
"""
Test ipa-server-upgrade.
Note that ipa-server-upgrade on a CA-less installation is tested
in ``test_caless.TestIPACommands.test_invoke_upgrader``.
"""
@classmethod
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=False)
def test_invoke_upgrader(self):
cmd = self.master.run_command(['ipa-server-upgrade'],
raiseonerr=False)
assert ("DN: cn=Schema Compatibility,cn=plugins,cn=config does not \
exists or haven't been updated" not in cmd.stdout_text)
assert cmd.returncode == 0
def test_double_encoded_cacert(self):
"""Test for BZ 1644874
In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn
could contain a double-encoded cert, which leads to ipa-server-upgrade
failure.
Force a double-encoded value then call upgrade to check the fix.
"""
# Read the current entry from LDAP
ldap = self.master.ldap_connect()
basedn = self.master.domain.basedn # pylint: disable=no-member
dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)
entry = ldap.get_entry(dn) # pylint: disable=no-member
# Extract the certificate as DER then double-encode
cacert = entry['cacertificate;binary'][0]
cacert_der = cacert.public_bytes(serialization.Encoding.DER)
cacert_b64 = base64.b64encode(cacert_der)
# overwrite the value with double-encoded cert
entry.single_value['cACertificate;binary'] = cacert_b64
ldap.update_entry(entry) # pylint: disable=no-member
# try the upgrade
self.master.run_command(['ipa-server-upgrade'])
# reconnect to the master (upgrade stops 389-ds)
ldap = self.master.ldap_connect()
# read the value after upgrade, should be fixed
entry = ldap.get_entry(dn) # pylint: disable=no-member
try:
_cacert = entry['cacertificate;binary']
except ValueError:
raise AssertionError('%s contains a double-encoded cert'
% entry.dn)