Fix passphrase None errors

At this moment if ca_private_key_passphrase is None loadbalancer cannot be created due to AttributeError. Current change adds check for None before encoding. Story: 2003588 Task: 24896 Change-Id: I40063aa2f96534c12b284f72d16c9f5a72ad1486
2018-08-29 17:10:18 +04:00 · 2018-08-29 17:10:18 +04:00 · 2a2b308a39
parent aed0867de4
commit 2a2b308a39
2 changed files with 47 additions and 1 deletions
--- a/octavia/certificates/generator/local.py
+++ b/octavia/certificates/generator/local.py
@ -106,7 +106,8 @@ class LocalCertGenerator(cert_gen.CertGenerator):
                ca_key = f.read()
        if not ca_key_pass:
            ca_key_pass = CONF.certificates.ca_private_key_passphrase
-            ca_key_pass = ca_key_pass.encode('utf-8')
+            if ca_key_pass is not None:
+                ca_key_pass = ca_key_pass.encode('utf-8')

        try:
            lo_cert = x509.load_pem_x509_certificate(
--- a/octavia/tests/unit/certificates/generator/test_local.py
+++ b/octavia/tests/unit/certificates/generator/test_local.py
@ -99,6 +99,51 @@ class TestLocalGenerator(local_csr.BaseLocalCSRTestCase):
        self.assertFalse(cert.extensions.get_extension_for_class(
            x509.BasicConstraints).value.ca)

+    def test_sign_cert_passphrase_none(self):
+        # Attempt sign a cert
+        ca_private_key = self.ca_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption()
+        )
+        signed_cert = self.cert_generator.sign_cert(
+            csr=self.certificate_signing_request,
+            validity=2 * 365 * 24 * 60 * 60,
+            ca_cert=self.ca_certificate,
+            ca_key=ca_private_key,
+            ca_key_pass=None,
+            ca_digest=self.signing_digest
+        )
+
+        self.assertIn("-----BEGIN CERTIFICATE-----",
+                      signed_cert.decode('ascii'))
+
+        # Load the cert for specific tests
+        cert = x509.load_pem_x509_certificate(
+            data=signed_cert, backend=backends.default_backend())
+
+        # Make sure expiry time is accurate
+        should_expire = (datetime.datetime.utcnow() +
+                         datetime.timedelta(seconds=2 * 365 * 24 * 60 * 60))
+        diff = should_expire - cert.not_valid_after
+        self.assertTrue(diff < datetime.timedelta(seconds=10))
+
+        # Make sure this is a version 3 X509.
+        self.assertEqual('v3', cert.version.name)
+
+        # Make sure this cert is marked as Server and Client Cert via the
+        # extended Key Usage extension
+        self.assertIn(x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
+                      cert.extensions.get_extension_for_class(
+                          x509.ExtendedKeyUsage).value._usages)
+        self.assertIn(x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH,
+                      cert.extensions.get_extension_for_class(
+                          x509.ExtendedKeyUsage).value._usages)
+
+        # Make sure this cert can't sign other certs
+        self.assertFalse(cert.extensions.get_extension_for_class(
+            x509.BasicConstraints).value.ca)
+
    def test_sign_cert_invalid_algorithm(self):
        self.assertRaises(
            crypto_exceptions.UnsupportedAlgorithm,