Imported Debian patch 4.8.10-2

2020-11-23 20:48:56 +02:00
parent 8bc559c5a1
commit 358acdd85f
917 changed files with 1185414 additions and 1069733 deletions
--- a/ipatests/test_ipapython/test_certdb.py
+++ b/ipatests/test_ipapython/test_certdb.py
@@ -4,13 +4,19 @@ import os

 import pytest

-from ipapython.certdb import NSSDatabase, TRUSTED_PEER_TRUST_FLAGS
+from ipapython.certdb import (
+    NSSDatabase,
+    TRUSTED_PEER_TRUST_FLAGS,
+    nss_supports_dbm,
+)
+from ipapython import ipautil
 from ipaplatform.osinfo import osinfo

 CERTNICK = 'testcert'
+CERTSAN = 'testcert.certdb.test'

 if osinfo.id == 'fedora':
-    if int(osinfo.version_id) >= 28:
+    if osinfo.version_number >= (28,):
        NSS_DEFAULT = 'sql'
    else:
        NSS_DEFAULT = 'dbm'
@@ -32,11 +38,16 @@ def create_selfsigned(nssdb):
            '-s', 'CN=testcert',
            '-n', CERTNICK,
            '-m', '365',
+            '--extSAN', f'dns:{CERTSAN}'
        ])
    finally:
        os.unlink(noisefile)


+@pytest.mark.skipif(
+    not nss_supports_dbm(),
+    reason="NSS is built without support of the legacy database(DBM)",
+)
 def test_dbm_tmp():
    with NSSDatabase(dbtype='dbm') as nssdb:
        assert nssdb.dbtype == 'dbm'
@@ -57,6 +68,19 @@ def test_dbm_tmp():
        assert os.path.basename(nssdb.secmod) == 'secmod.db'


+@pytest.mark.skipif(
+    nss_supports_dbm(),
+    reason="NSS is built with support of the legacy database(DBM)",
+)
+def test_dbm_raise():
+    with pytest.raises(ValueError) as e:
+        NSSDatabase(dbtype="dbm")
+    assert (
+        str(e.value) == "NSS is built without support of the legacy "
+        "database(DBM)"
+    )
+
+
 def test_sql_tmp():
    with NSSDatabase(dbtype='sql') as nssdb:
        assert nssdb.dbtype == 'sql'
@@ -77,6 +101,10 @@ def test_sql_tmp():
        assert os.path.basename(nssdb.secmod) == 'pkcs11.txt'


+@pytest.mark.skipif(
+    not nss_supports_dbm(),
+    reason="NSS is built without support of the legacy database(DBM)",
+)
 def test_convert_db():
    with NSSDatabase(dbtype='dbm') as nssdb:
        assert nssdb.dbtype == 'dbm'
@@ -112,6 +140,10 @@ def test_convert_db():
        assert os.path.basename(nssdb.secmod) == 'pkcs11.txt'


+@pytest.mark.skipif(
+    not nss_supports_dbm(),
+    reason="NSS is built without support of the legacy database(DBM)",
+)
 def test_convert_db_nokey():
    with NSSDatabase(dbtype='dbm') as nssdb:
        assert nssdb.dbtype == 'dbm'
@@ -167,3 +199,88 @@ def test_auto_db():
        assert nssdb.filenames is not None
        assert nssdb.exists()
        nssdb.list_certs()
+
+
+def test_delete_cert_and_key():
+    """Test that delete_cert + delete_key always deletes everything
+
+    Test with a NSSDB that contains:
+    - cert + key
+    - key only
+    - cert only
+    - none of them
+    """
+    cmd = ipautil.run(['mktemp'], capture_output=True)
+    p12file = cmd.output.strip()
+
+    try:
+        with NSSDatabase() as nssdb:
+            nssdb.create_db()
+
+            # 1. Test delete_key_and_cert when cert + key are present
+            # Create a NSS DB with cert + key
+            create_selfsigned(nssdb)
+            # Save both in a p12 file for latter use
+            ipautil.run(
+                [
+                    'pk12util',
+                    '-o', p12file, '-n', CERTNICK, '-d', nssdb.secdir,
+                    '-k', nssdb.pwd_file,
+                    '-w', nssdb.pwd_file
+                ])
+            # Delete cert and key
+            nssdb.delete_key_and_cert(CERTNICK)
+            # make sure that everything was deleted
+            assert len(nssdb.list_keys()) == 0
+            assert len(nssdb.list_certs()) == 0
+
+            # 2. Test delete_key_and_cert when only key is present
+            # Import cert and key then remove cert
+            import_args = [
+                'pk12util',
+                '-i', p12file, '-d', nssdb.secdir,
+                '-k', nssdb.pwd_file,
+                '-w', nssdb.pwd_file]
+            ipautil.run(import_args)
+            nssdb.delete_cert(CERTNICK)
+            # Delete cert and key
+            nssdb.delete_key_and_cert(CERTNICK)
+            # make sure that everything was deleted
+            assert len(nssdb.list_keys()) == 0
+            assert len(nssdb.list_certs()) == 0
+
+            # 3. Test delete_key_and_cert when only cert is present
+            # Import cert and key then remove key
+            ipautil.run(import_args)
+            nssdb.delete_key_only(CERTNICK)
+            # make sure the db contains only the cert
+            assert len(nssdb.list_keys()) == 0
+            assert len(nssdb.list_certs()) == 1
+
+            # Delete cert and key when key is not present
+            nssdb.delete_key_and_cert(CERTNICK)
+            # make sure that everything was deleted
+            assert len(nssdb.list_keys()) == 0
+            assert len(nssdb.list_certs()) == 0
+
+            # 4. Test delete_key_and_cert with a wrong nickname
+            # Import cert and key
+            ipautil.run(import_args)
+            # Delete cert and key
+            nssdb.delete_key_and_cert('wrongnick')
+            # make sure that nothing was deleted
+            assert len(nssdb.list_keys()) == 1
+            assert len(nssdb.list_certs()) == 1
+    finally:
+        os.unlink(p12file)
+
+
+def test_check_validity():
+    with NSSDatabase() as nssdb:
+        nssdb.create_db()
+        create_selfsigned(nssdb)
+        with pytest.raises(ValueError):
+            nssdb.verify_ca_cert_validity(CERTNICK)
+        nssdb.verify_server_cert_validity(CERTNICK, CERTSAN)
+        with pytest.raises(ValueError):
+            nssdb.verify_server_cert_validity(CERTNICK, 'invalid.example')