IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-26 08:51:50 -06:00
Code Issues Packages Projects Releases Wiki Activity
b7ae9f7a3f
freeipa/ipatests/test_integration/test_upgrade.py
Florence Blanc-Renaud 93e3fc4d89 ipatests: add upgrade test for double-encoded cacert 
Create a test for upgrade with the following scenario:
- install master
- write a double-encoded cert in the entry
cn=cacert,,cn=ipa,cn=etc,$basedn
to simulate bug 7775
- call ipa-server-upgrade
- check that the upgrade fixed the value

The upgrade should finish successfully and repair
the double-encoded cert.

Related to https://pagure.io/freeipa/issue/7775

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-30 11:05:17 +01:00

59 lines
2.2 KiB
Python
Raw Blame History

#
# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
#
"""
Module provides tests to verify that the upgrade script works.
"""
import base64
from cryptography.hazmat.primitives import serialization
from ipapython.dn import DN
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
class TestUpgrade(IntegrationTest):
@classmethod
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=False)
def test_invoke_upgrader(self):
cmd = self.master.run_command(['ipa-server-upgrade'],
raiseonerr=False)
assert ("DN: cn=Schema Compatibility,cn=plugins,cn=config does not \
exists or haven't been updated" not in cmd.stdout_text)
assert cmd.returncode == 0
def test_double_encoded_cacert(self):
"""Test for BZ 1644874
In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn
could contain a double-encoded cert, which leads to ipa-server-upgrade
failure.
Force a double-encoded value then call upgrade to check the fix.
"""
# Read the current entry from LDAP
ldap = self.master.ldap_connect()
basedn = self.master.domain.basedn # pylint: disable=no-member
dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)
entry = ldap.get_entry(dn) # pylint: disable=no-member
# Extract the certificate as DER then double-encode
cacert = entry['cacertificate;binary'][0]
cacert_der = cacert.public_bytes(serialization.Encoding.DER)
cacert_b64 = base64.b64encode(cacert_der)
# overwrite the value with double-encoded cert
entry.single_value['cACertificate;binary'] = cacert_b64
ldap.update_entry(entry) # pylint: disable=no-member
# try the upgrade
self.master.run_command(['ipa-server-upgrade'])
# read the value after upgrade, should be fixed
entry = ldap.get_entry(dn) # pylint: disable=no-member
try:
_cacert = entry['cacertificate;binary']
except ValueError:
raise AssertionError('%s contains a double-encoded cert'
% entry.dn)
Reference in New Issue View Git Blame Copy Permalink