diff --git a/definitions/checks/check_sha1_certificate_authority.rb b/definitions/checks/check_sha1_certificate_authority.rb new file mode 100644 index 000000000..fc22ddc59 --- /dev/null +++ b/definitions/checks/check_sha1_certificate_authority.rb @@ -0,0 +1,24 @@ +class Checks::CheckSha1CertificateAuthority < ForemanMaintain::Check + metadata do + label :check_sha1_certificate_authority + description 'Check if server certificate authority is sha1 signed' + + confine do + feature(:katello) + end + + do_not_whitelist + end + + def run + installer_answers = feature(:installer).answers + server_ca = installer_answers[:certs][:server_ca_cert] + + certificate = OpenSSL::X509::Certificate.new(File.read(server_ca)) + + assert( + certificate.signature_algorithm != 'sha1WithRSAEncryption', + "Server CA certificate signed with sha1 which will break on upgrade." + ) + end +end diff --git a/definitions/scenarios/foreman_upgrade.rb b/definitions/scenarios/foreman_upgrade.rb index 583996a9f..c0638505f 100644 --- a/definitions/scenarios/foreman_upgrade.rb +++ b/definitions/scenarios/foreman_upgrade.rb @@ -54,6 +54,7 @@ def compose Checks::PackageManager::Dnf::ValidateDnfConfig, Checks::Repositories::CheckNonRhRepository, Checks::CheckOrganizationContentAccessMode, + Checks::CheckSha1CertificateAuthority, Checks::Repositories::Validate ) end diff --git a/definitions/scenarios/satellite_upgrade.rb b/definitions/scenarios/satellite_upgrade.rb index 7da75ea8a..0735762b6 100644 --- a/definitions/scenarios/satellite_upgrade.rb +++ b/definitions/scenarios/satellite_upgrade.rb @@ -55,6 +55,7 @@ def compose Checks::CheckIpv6Disable, Checks::Disk::AvailableSpacePostgresql13, Checks::CheckOrganizationContentAccessMode, + Checks::CheckSha1CertificateAuthority, Checks::Repositories::Validate.new(:version => target_version), ) end diff --git a/test/definitions/checks/check_sha1_certificate_authority_test.rb b/test/definitions/checks/check_sha1_certificate_authority_test.rb new file mode 100644 index 000000000..bd2770dd1 --- /dev/null +++ b/test/definitions/checks/check_sha1_certificate_authority_test.rb @@ -0,0 +1,43 @@ +require 'test_helper' + +require_relative '../test_helper' +require_relative '../../../definitions/checks/check_sha1_certificate_authority' + +describe Checks::CheckSha1CertificateAuthority do + include DefinitionsTestHelper + + subject { Checks::CheckSha1CertificateAuthority.new } + + let(:ca_cert) do + <<~CERT + -----BEGIN CERTIFICATE----- + MIIDHTCCAgWgAwIBAgIUbkOgb3ORoG8G9K3aCqGHvmxjMXQwDQYJKoZIhvcNAQEF + BQAwHjEcMBoGA1UEAwwTVGVzdCBTZWxmLVNpZ25lZCBDQTAeFw0yNDExMjYyMDMw + MTRaFw0zNDExMjQyMDMwMTRaMB4xHDAaBgNVBAMME1Rlc3QgU2VsZi1TaWduZWQg + Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDca251YgujAdBW9Dk7 + cHcAPpGkDdQitpL63dQxMqAW3qPVErnjouHe3HDhE2ibVoccBGS5vLjTedXMJVII + rGvJyqiY2OR3iANb3KA5LswKjty/FPVC+XxKeX4ZPHBXNrvRkZ0K4Ih3cr8V4ZKF + iz9/398HHB+ZfhWLSsVe89SSoZuk86DNnc5MzaU/0fS4OCIlNcs67s8geGQMbIJh + F9gqoCziiWu4eQU+6q3nxLzXJUGePGv6HlfI51W9kXu2pK79TMxK8nqan0yBhVqO + Ll9M8j6BN2V7/syMZlBhQDEUeZy23nzdXQVSwVGLaeqO5pJK6Z8Li1oBS0PPUS1k + Ck4HAgMBAAGjUzBRMB0GA1UdDgQWBBSClr59wc0O6GmE7jnxBwVC2hPurTAfBgNV + HSMEGDAWgBSClr59wc0O6GmE7jnxBwVC2hPurTAPBgNVHRMBAf8EBTADAQH/MA0G + CSqGSIb3DQEBBQUAA4IBAQDa59NGJa8Bx7rmWGNqXITg+ZLg4pue/7XYYVuOlE12 + IN+WrtU0hZxGX0LTf3fVsSZHByXaTQ+9Td8X+aEtX8OJLXdckk6kpCePnregd2cM + BrFoUscVNdyThJnPrPYTMufyS38VByS5kWZW5WetlOYxyl56sCIjEJp+TYPI+Yvk + HwvgixsbXZuKa19/m6gMF1hn58hMHt+CG/24lQgWXzvAxMC23xcNLRoiBh3YCejh + JA7VJrbYCR4PypDoYm3A7IAmj1nNCcrfahf1G8QNkxdntepQ2kf32PAKAQszXEMB + Lh3FzbuCRGvqrCLF7CrcoGzvSEge3Pv/lUSZ3uoOobp/ + -----END CERTIFICATE----- + CERT + end + + it 'throws an error message when server CA certificate is signed with sha1' do + assume_feature_present(:katello) + assume_feature_present(:installer, answers: {:certs => {:server_ca_cert => 'ca-sha1.crt'}}) + File.expects(:read).with('ca-sha1.crt').returns(ca_cert) + result = run_step(subject) + + assert result.fail? + end +end diff --git a/test/definitions/scenarios/katello_upgrade_test.rb b/test/definitions/scenarios/katello_upgrade_test.rb index dbfb317e3..0cb1a38e6 100644 --- a/test/definitions/scenarios/katello_upgrade_test.rb +++ b/test/definitions/scenarios/katello_upgrade_test.rb @@ -40,6 +40,7 @@ Checks::Repositories::CheckNonRhRepository, Checks::Disk::AvailableSpacePostgresql13, Checks::CheckOrganizationContentAccessMode, + Checks::CheckSha1CertificateAuthority, Checks::Repositories::Validate, ) end @@ -72,6 +73,7 @@ Checks::Repositories::CheckNonRhRepository, Checks::Disk::AvailableSpacePostgresql13, Checks::CheckOrganizationContentAccessMode, + Checks::CheckSha1CertificateAuthority, Checks::Repositories::Validate, ) end diff --git a/test/definitions/scenarios/satellite_upgrade_test.rb b/test/definitions/scenarios/satellite_upgrade_test.rb index 0002b9292..bca956826 100644 --- a/test/definitions/scenarios/satellite_upgrade_test.rb +++ b/test/definitions/scenarios/satellite_upgrade_test.rb @@ -89,6 +89,7 @@ Checks::CheckIpv6Disable, Checks::Disk::AvailableSpacePostgresql13, Checks::CheckOrganizationContentAccessMode, + Checks::CheckSha1CertificateAuthority, Checks::Repositories::Validate, ) end @@ -122,6 +123,7 @@ Checks::CheckIpv6Disable, Checks::Disk::AvailableSpacePostgresql13, Checks::CheckOrganizationContentAccessMode, + Checks::CheckSha1CertificateAuthority, Checks::Repositories::Validate, ) end