ipa/SOURCES/0056-ipatests-Test-that-a-user-can-be-issued-multiple-cer.patch

From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 10 Sep 2021 09:01:48 -0400
Subject: [PATCH] ipatests: Test that a user can be issued multiple
 certificates

Prevent regressions in the LDAP cache layer that caused newly
issued certificates to overwrite existing ones.

https://pagure.io/freeipa/issue/8986

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
---
 ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 7d51b76ee347237450b7484cf48c2e6a1bed7f7d..b4e85eadcf41212fdd16f0f3aa130a916b5019fa 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -16,6 +16,7 @@ import string
 import time
 
 from ipaplatform.paths import paths
+from ipapython.dn import DN
 from cryptography import x509
 from cryptography.x509.oid import ExtensionOID
 from cryptography.hazmat.backends import default_backend
@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest):
         )
         assert "profile: caServerCert" in result.stdout_text
 
+    def test_multiple_user_certificates(self):
+        """Test that a user may be issued multiple certificates"""
+        ldap = self.master.ldap_connect()
+
+        user = 'user1'
+
+        tasks.kinit_admin(self.master)
+        tasks.user_add(self.master, user)
+
+        for id in (0,1):
+            csr_file = f'{id}.csr'
+            key_file = f'{id}.key'
+            cert_file = f'{id}.crt'
+            openssl_cmd = [
+                'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,
+                '-nodes', '-out', csr_file, '-subj', '/CN=' + user]
+            self.master.run_command(openssl_cmd)
+
+            cmd_args = ['ipa', 'cert-request', '--principal', user,
+                        '--certificate-out', cert_file, csr_file]
+            self.master.run_command(cmd_args)
+
+        # easier to count by pulling the LDAP entry
+        entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),
+                               ('cn', 'accounts'), self.master.domain.basedn))
+
+        assert len(entry.get('usercertificate')) == 2
+
     @pytest.fixture
     def test_subca_certs(self):
         """
-- 
2.31.1
import ipa-4.9.6-9.el9 2021-12-07 17:19:43 +00:00			`From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001`
			`From: Rob Crittenden <rcritten@redhat.com>`
			`Date: Fri, 10 Sep 2021 09:01:48 -0400`
			`Subject: [PATCH] ipatests: Test that a user can be issued multiple`
			`certificates`

			`Prevent regressions in the LDAP cache layer that caused newly`
			`issued certificates to overwrite existing ones.`

			`https://pagure.io/freeipa/issue/8986`

			`Signed-off-by: Rob Crittenden <rcritten@redhat.com>`
			`Reviewed-By: Francois Cami <fcami@redhat.com>`
			`Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>`
			`---`
			`ipatests/test_integration/test_cert.py \| 29 ++++++++++++++++++++++++++`
			`1 file changed, 29 insertions(+)`

			`diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py`
			`index 7d51b76ee347237450b7484cf48c2e6a1bed7f7d..b4e85eadcf41212fdd16f0f3aa130a916b5019fa 100644`
			`--- a/ipatests/test_integration/test_cert.py`
			`+++ b/ipatests/test_integration/test_cert.py`
			`@@ -16,6 +16,7 @@ import string`
			`import time`

			`from ipaplatform.paths import paths`
			`+from ipapython.dn import DN`
			`from cryptography import x509`
			`from cryptography.x509.oid import ExtensionOID`
			`from cryptography.hazmat.backends import default_backend`
			`@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest):`
			`)`
			`assert "profile: caServerCert" in result.stdout_text`

			`+ def test_multiple_user_certificates(self):`
			`+ """Test that a user may be issued multiple certificates"""`
			`+ ldap = self.master.ldap_connect()`
			`+`
			`+ user = 'user1'`
			`+`
			`+ tasks.kinit_admin(self.master)`
			`+ tasks.user_add(self.master, user)`
			`+`
			`+ for id in (0,1):`
			`+ csr_file = f'{id}.csr'`
			`+ key_file = f'{id}.key'`
			`+ cert_file = f'{id}.crt'`
			`+ openssl_cmd = [`
			`+ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,`
			`+ '-nodes', '-out', csr_file, '-subj', '/CN=' + user]`
			`+ self.master.run_command(openssl_cmd)`
			`+`
			`+ cmd_args = ['ipa', 'cert-request', '--principal', user,`
			`+ '--certificate-out', cert_file, csr_file]`
			`+ self.master.run_command(cmd_args)`
			`+`
			`+ # easier to count by pulling the LDAP entry`
			`+ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),`
			`+ ('cn', 'accounts'), self.master.domain.basedn))`
			`+`
			`+ assert len(entry.get('usercertificate')) == 2`
			`+`
			`@pytest.fixture`
			`def test_subca_certs(self):`
			`"""`
			`--`
			`2.31.1`