Fix replacing a certificate in a service.

When a service has a certificate and the CA backend doesn't support
revocation (like selfsign) then we simply drop the old certificate in
preparation for adding a new one. We weren't setting the usercertificate
attribute to None so there was nothing to do in ldap_update().

Added a test case for this situation to ensure that re-issuing a certificate
works.

ticket #88

2 files changed, 42 insertions, 14 deletions

diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 37de3df42..392ae60eb 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -246,17 +246,20 @@ class service_mod(LDAPUpdate):
     member_attributes = ['managedby']
 
     def pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
-        cert = options.get('usercertificate')
-        if cert:
-            (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate'])
-            if 'usercertificate' in entry_attrs_old:
-                # FIXME: what to do here? do we revoke the old cert?
-                fmt = 'entry already has a certificate, serial number: %s' % (
-                    x509.get_serial_number(entry_attrs_old['usercertificate'][0], x509.DER)
-                )
-                raise errors.GenericError(format=fmt)
-            # FIXME: should be in normalizer; see service_add
-            entry_attrs['usercertificate'] = base64.b64decode(cert)
+        if 'usercertificate' in options:
+            cert = options.get('usercertificate')
+            if cert:
+                (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate'])
+                if 'usercertificate' in entry_attrs_old:
+                    # FIXME: what to do here? do we revoke the old cert?
+                    fmt = 'entry already has a certificate, serial number: %s' % (
+                        x509.get_serial_number(entry_attrs_old['usercertificate'][0], x509.DER)
+                    )
+                    raise errors.GenericError(format=fmt)
+                # FIXME: should be in normalizer; see service_add
+                entry_attrs['usercertificate'] = base64.b64decode(cert)
+            else:
+                entry_attrs['usercertificate'] = None
         return dn
 
 api.register(service_mod)
diff --git a/tests/test_xmlrpc/test_cert.py b/tests/test_xmlrpc/test_cert.py
index a99848152..5d594891e 100644
--- a/tests/test_xmlrpc/test_cert.py
+++ b/tests/test_xmlrpc/test_cert.py
@@ -33,6 +33,7 @@ import base64
 
 # So we can save the cert from issuance and compare it later
 cert = None
+newcert = None
 
 # Test setup
 #
@@ -124,7 +125,7 @@ class test_cert(XMLRPC_test):
 
     def test_3_service_show(self):
         """
-        Verify that service-show has the right certificate.
+        Verify that service-show has the right certificate using service-show.
         """
         global cert
 
@@ -133,7 +134,7 @@ class test_cert(XMLRPC_test):
 
     def test_4_service_find(self):
         """
-        Verify that service-find has the right certificate.
+        Verify that service-find has the right certificate using service-find.
         """
         global cert
 
@@ -141,7 +142,31 @@ class test_cert(XMLRPC_test):
         res = api.Command['service_find'](self.service_princ)['result']
         assert base64.b64encode(res[0]['usercertificate'][0]) == cert
 
-    def test_5_cleanup(self):
+    def test_5_cert_renew(self):
+        """
+        Issue a new certificate for a service
+        """
+        global newcert
+
+        csr = unicode(self.generateCSR(self.subject))
+        res = api.Command['cert_request'](csr, principal=self.service_princ)['result']
+        assert res['subject'] == self.subject
+        # save the cert for the service_show/find tests
+        newcert = res['certificate']
+
+    def test_6_service_show(self):
+        """
+        Verify the new certificate with service-show.
+        """
+        global cert, newcert
+
+        res = api.Command['service_show'](self.service_princ)['result']
+        # It should no longer match our old cert
+        assert base64.b64encode(res['usercertificate'][0]) != cert
+        # And it should match the new one
+        assert base64.b64encode(res['usercertificate'][0]) == newcert
+
+    def test_7_cleanup(self):
         """
         Clean up cert test data
         """