Add check for sha1 server certificate before upgrading

Signed-off-by: Eric D. Helms <ericdhelms@gmail.com> (cherry picked from commit a213320)
theforeman · Dec 5, 2024 · c8977f0 · c8977f0
1 parent 7d66c91
commit c8977f0
Show file tree

Hide file tree

Showing 6 changed files with 79 additions and 0 deletions.
diff --git a/definitions/checks/check_sha1_certificate_authority.rb b/definitions/checks/check_sha1_certificate_authority.rb
@@ -0,0 +1,27 @@
+class Checks::CheckSha1CertificateAuthority < ForemanMaintain::Check
+  metadata do
+    label :check_sha1_certificate_authority
+    description 'Check if server certificate authority is sha1 signed'
+
+    confine do
+      feature(:katello) || feature(:foreman_proxy)
+    end
+
+    do_not_whitelist
+  end
+
+  def run
+    installer_answers = feature(:installer).answers
+    server_ca = installer_answers['certs']['server_ca_cert']
+
+    certificate = OpenSSL::X509::Certificate.new(File.read(server_ca))
+
+    msg = <<~MSG
+      Server CA certificate signed with sha1 which will break on upgrade.
+      Update the server CA certificate with one signed with sha256 or
+      stronger then proceed with the upgrade.
+    MSG
+
+    assert(certificate.signature_algorithm != 'sha1WithRSAEncryption', msg)
+  end
+end
diff --git a/definitions/scenarios/foreman_upgrade.rb b/definitions/scenarios/foreman_upgrade.rb
@@ -53,6 +53,7 @@ def compose
         Checks::PackageManager::Dnf::ValidateDnfConfig,
         Checks::Repositories::CheckNonRhRepository,
         Checks::CheckOrganizationContentAccessMode,
+        Checks::CheckSha1CertificateAuthority,
         Checks::Repositories::Validate
       )
     end

diff --git a/definitions/scenarios/satellite_upgrade.rb b/definitions/scenarios/satellite_upgrade.rb
@@ -55,6 +55,7 @@ def compose
         Checks::CheckIpv6Disable,
         Checks::Disk::AvailableSpacePostgresql13,
         Checks::CheckOrganizationContentAccessMode,
+        Checks::CheckSha1CertificateAuthority,
         Checks::Repositories::Validate.new(:version => target_version),
       )
     end

diff --git a/test/definitions/checks/check_sha1_certificate_authority_test.rb b/test/definitions/checks/check_sha1_certificate_authority_test.rb
@@ -0,0 +1,46 @@
+require 'test_helper'
+
+require_relative '../test_helper'
+require_relative '../../../definitions/checks/check_sha1_certificate_authority'
+
+describe Checks::CheckSha1CertificateAuthority do
+  include DefinitionsTestHelper
+
+  subject { Checks::CheckSha1CertificateAuthority.new }
+
+  let(:ca_cert) do
+    <<~CERT
+      -----BEGIN CERTIFICATE-----
+      MIIDHTCCAgWgAwIBAgIUbkOgb3ORoG8G9K3aCqGHvmxjMXQwDQYJKoZIhvcNAQEF
+      BQAwHjEcMBoGA1UEAwwTVGVzdCBTZWxmLVNpZ25lZCBDQTAeFw0yNDExMjYyMDMw
+      MTRaFw0zNDExMjQyMDMwMTRaMB4xHDAaBgNVBAMME1Rlc3QgU2VsZi1TaWduZWQg
+      Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDca251YgujAdBW9Dk7
+      cHcAPpGkDdQitpL63dQxMqAW3qPVErnjouHe3HDhE2ibVoccBGS5vLjTedXMJVII
+      rGvJyqiY2OR3iANb3KA5LswKjty/FPVC+XxKeX4ZPHBXNrvRkZ0K4Ih3cr8V4ZKF
+      iz9/398HHB+ZfhWLSsVe89SSoZuk86DNnc5MzaU/0fS4OCIlNcs67s8geGQMbIJh
+      F9gqoCziiWu4eQU+6q3nxLzXJUGePGv6HlfI51W9kXu2pK79TMxK8nqan0yBhVqO
+      Ll9M8j6BN2V7/syMZlBhQDEUeZy23nzdXQVSwVGLaeqO5pJK6Z8Li1oBS0PPUS1k
+      Ck4HAgMBAAGjUzBRMB0GA1UdDgQWBBSClr59wc0O6GmE7jnxBwVC2hPurTAfBgNV
+      HSMEGDAWgBSClr59wc0O6GmE7jnxBwVC2hPurTAPBgNVHRMBAf8EBTADAQH/MA0G
+      CSqGSIb3DQEBBQUAA4IBAQDa59NGJa8Bx7rmWGNqXITg+ZLg4pue/7XYYVuOlE12
+      IN+WrtU0hZxGX0LTf3fVsSZHByXaTQ+9Td8X+aEtX8OJLXdckk6kpCePnregd2cM
+      BrFoUscVNdyThJnPrPYTMufyS38VByS5kWZW5WetlOYxyl56sCIjEJp+TYPI+Yvk
+      HwvgixsbXZuKa19/m6gMF1hn58hMHt+CG/24lQgWXzvAxMC23xcNLRoiBh3YCejh
+      JA7VJrbYCR4PypDoYm3A7IAmj1nNCcrfahf1G8QNkxdntepQ2kf32PAKAQszXEMB
+      Lh3FzbuCRGvqrCLF7CrcoGzvSEge3Pv/lUSZ3uoOobp/
+      -----END CERTIFICATE-----
+    CERT
+  end
+
+  it 'throws an error message when server CA certificate is signed with sha1' do
+    assume_feature_present(:katello)
+    assume_feature_present(
+      :installer,
+      answers: { 'certs' => { 'server_ca_cert' => 'ca-sha1.crt' } }
+    )
+    File.expects(:read).with('ca-sha1.crt').returns(ca_cert)
+    result = run_step(subject)
+
+    assert result.fail?
+  end
+end
diff --git a/test/definitions/scenarios/katello_upgrade_test.rb b/test/definitions/scenarios/katello_upgrade_test.rb
@@ -40,6 +40,7 @@
         Checks::Repositories::CheckNonRhRepository,
         Checks::Disk::AvailableSpacePostgresql13,
         Checks::CheckOrganizationContentAccessMode,
+        Checks::CheckSha1CertificateAuthority,
         Checks::Repositories::Validate,
       )
     end
@@ -72,6 +73,7 @@
         Checks::Repositories::CheckNonRhRepository,
         Checks::Disk::AvailableSpacePostgresql13,
         Checks::CheckOrganizationContentAccessMode,
+        Checks::CheckSha1CertificateAuthority,
         Checks::Repositories::Validate,
       )
     end

diff --git a/test/definitions/scenarios/satellite_upgrade_test.rb b/test/definitions/scenarios/satellite_upgrade_test.rb
@@ -41,6 +41,7 @@
         Checks::CheckIpv6Disable,
         Checks::Disk::AvailableSpacePostgresql13,
         Checks::CheckOrganizationContentAccessMode,
+        Checks::CheckSha1CertificateAuthority,
         Checks::Repositories::Validate,
       )
     end
@@ -74,6 +75,7 @@
         Checks::CheckIpv6Disable,
         Checks::Disk::AvailableSpacePostgresql13,
         Checks::CheckOrganizationContentAccessMode,
+        Checks::CheckSha1CertificateAuthority,
         Checks::Repositories::Validate,
       )
     end