diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-07-22 16:08:17 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-08-06 13:12:21 -0400 |
commit | efa11d3746c8649f5cb42be9e4787a85413b0f6c (patch) | |
tree | b82464f970a02582074c6f326d7a9482d60e6153 | |
parent | 4ea34d5910f304c50a1a432f43318239b1db8be6 (diff) | |
download | freeipa-efa11d3746c8649f5cb42be9e4787a85413b0f6c.tar.gz freeipa-efa11d3746c8649f5cb42be9e4787a85413b0f6c.tar.xz freeipa-efa11d3746c8649f5cb42be9e4787a85413b0f6c.zip |
Fix replacing a certificate in a service.
When a service has a certificate and the CA backend doesn't support
revocation (like selfsign) then we simply drop the old certificate in
preparation for adding a new one. We weren't setting the usercertificate
attribute to None so there was nothing to do in ldap_update().
Added a test case for this situation to ensure that re-issuing a certificate
works.
ticket #88
-rw-r--r-- | ipalib/plugins/service.py | 25 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_cert.py | 31 |
2 files changed, 42 insertions, 14 deletions
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 37de3df42..392ae60eb 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -246,17 +246,20 @@ class service_mod(LDAPUpdate): member_attributes = ['managedby'] def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): - cert = options.get('usercertificate') - if cert: - (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate']) - if 'usercertificate' in entry_attrs_old: - # FIXME: what to do here? do we revoke the old cert? - fmt = 'entry already has a certificate, serial number: %s' % ( - x509.get_serial_number(entry_attrs_old['usercertificate'][0], x509.DER) - ) - raise errors.GenericError(format=fmt) - # FIXME: should be in normalizer; see service_add - entry_attrs['usercertificate'] = base64.b64decode(cert) + if 'usercertificate' in options: + cert = options.get('usercertificate') + if cert: + (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate']) + if 'usercertificate' in entry_attrs_old: + # FIXME: what to do here? do we revoke the old cert? + fmt = 'entry already has a certificate, serial number: %s' % ( + x509.get_serial_number(entry_attrs_old['usercertificate'][0], x509.DER) + ) + raise errors.GenericError(format=fmt) + # FIXME: should be in normalizer; see service_add + entry_attrs['usercertificate'] = base64.b64decode(cert) + else: + entry_attrs['usercertificate'] = None return dn api.register(service_mod) diff --git a/tests/test_xmlrpc/test_cert.py b/tests/test_xmlrpc/test_cert.py index a99848152..5d594891e 100644 --- a/tests/test_xmlrpc/test_cert.py +++ b/tests/test_xmlrpc/test_cert.py @@ -33,6 +33,7 @@ import base64 # So we can save the cert from issuance and compare it later cert = None +newcert = None # Test setup # @@ -124,7 +125,7 @@ class test_cert(XMLRPC_test): def test_3_service_show(self): """ - Verify that service-show has the right certificate. + Verify that service-show has the right certificate using service-show. """ global cert @@ -133,7 +134,7 @@ class test_cert(XMLRPC_test): def test_4_service_find(self): """ - Verify that service-find has the right certificate. + Verify that service-find has the right certificate using service-find. """ global cert @@ -141,7 +142,31 @@ class test_cert(XMLRPC_test): res = api.Command['service_find'](self.service_princ)['result'] assert base64.b64encode(res[0]['usercertificate'][0]) == cert - def test_5_cleanup(self): + def test_5_cert_renew(self): + """ + Issue a new certificate for a service + """ + global newcert + + csr = unicode(self.generateCSR(self.subject)) + res = api.Command['cert_request'](csr, principal=self.service_princ)['result'] + assert res['subject'] == self.subject + # save the cert for the service_show/find tests + newcert = res['certificate'] + + def test_6_service_show(self): + """ + Verify the new certificate with service-show. + """ + global cert, newcert + + res = api.Command['service_show'](self.service_princ)['result'] + # It should no longer match our old cert + assert base64.b64encode(res['usercertificate'][0]) != cert + # And it should match the new one + assert base64.b64encode(res['usercertificate'][0]) == newcert + + def test_7_cleanup(self): """ Clean up cert test data """ |