URL: https://github.com/freeipa/freeipa/pull/6107 Author: mrizwan93 Title: #6107: ipatests: Test empty cert request doesn't force certmonger to segfault Action: opened
PR body: """ When empty cert request is submitted to certmonger, it goes to segfault. This fix test that if something like this happens, certmonger should gracefuly handle it related: https://pagure.io/certmonger/issue/191 Signed-off-by: Mohammad Rizwan <myu...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6107/head:pr6107 git checkout pr6107
From 51cf0129d270a1a1a293975399ed27b55526014f Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan <myu...@redhat.com> Date: Thu, 25 Nov 2021 13:10:05 +0530 Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to segfault When empty cert request is submitted to certmonger, it goes to segfault. This fix test that if something like this happens, certmonger should gracefuly handle it related: https://pagure.io/certmonger/issue/191 Signed-off-by: Mohammad Rizwan <myu...@redhat.com> --- ipatests/test_integration/test_cert.py | 64 ++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py index f1e87b053a7..5ad4a03de37 100644 --- a/ipatests/test_integration/test_cert.py +++ b/ipatests/test_integration/test_cert.py @@ -586,3 +586,67 @@ def test_ca_show_error_handling(self): error_msg = 'ipa: ERROR: The certificate for ' \ '{} is not available on this server.'.format(lwca) assert error_msg in result.stderr_text + + def test_certmonger_not_segfault(self): + """Test empty cert request doesn't force certmonger to segfault + + When empty cert request is submitted to certmonger, it goes to + segfault. This fix test that if something like this happens, + certmonger should gracefuly handle it + + related: https://pagure.io/certmonger/issue/191 + """ + empty_cert_req_content = (""" + id=dogtag-ipa-renew-agent + key_type=UNSPECIFIED + key_gen_type=UNSPECIFIED + key_size=0 + key_gen_size=0 + key_next_type=UNSPECIFIED + key_next_gen_type=UNSPECIFIED + key_next_size=0 + key_next_gen_size=0 + key_preserve=0 + key_storage_type=NONE + key_perms=0 + key_requested_count=0 + key_issued_count=0 + cert_storage_type=FILE + cert_perms=0 + cert_is_ca=0 + cert_ca_path_length=0 + cert_no_ocsp_check=0 + last_need_notify_check=19700101000000 + last_need_enroll_check=19700101000000 + template_is_ca=0 + template_ca_path_length=-1 + template_no_ocsp_check=0 + state=NEED_KEY_PAIR + autorenew=0 + monitor=0 + submitted=19700101000000 + """) + # stop certmonger service + self.master.run_command(['systemctl', 'stop', 'certmonger']) + + # place an empty cert request file to certmonger request dir + self.master.put_file_contents( + f'{paths.CERTMONGER_REQUESTS_DIR}20211125062617', + empty_cert_req_content + ) + + # start certmonger, it should not fail + self.master.run_command(['systemctl', 'start', 'certmonger']) + + # request a new cert, should succeed and certmonger doesn't goes + # to segfault + result = self.master.run_command([ + "ipa-getcert", "request", + "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"), + "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"), + ]) + request_id = re.findall(r'\d+', result.stdout_text) + + # check if certificate is in MONITORING state + status = tasks.wait_for_request(self.master, request_id[0], 50) + assert status == "MONITORING"
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
