From 3a9e211feb00d742426e5213ad15c2ae2129ad39 Mon Sep 17 00:00:00 2001 From: Dermot Bradley Date: Fri, 13 Jan 2023 01:17:26 +0000 Subject: [PATCH] Overhaul/rewrite of certificate handling as follows: Change "ca-certs" references to "ca_certs". New certificates are written to individual files, with an incrementing number as part of their filename, rather than all being placed in a single file. This resolves issues caused when certificate files containing more than a single certificate are placed in /etc/ssl/certs (by utilities such as "update-ca-certificates" run by ca_certs). Alpine / Debian / Ubuntu: The current behaviour, whilst it works, is incorrect with regard to the design of the underlying OS utilities for managing certificates. For "remove_defaults" the system-installed certificate files should not be actually deleted (otherwise it becomes problematic if someone wishes to later re-enable one or more of them), rather they should be deactivated and these OSes already provide the means to do so - this MR modifies the certificate entries in the /etc/ca-certificates.conf file by prefixing them with "!" - when the update-ca-certificate utility is then run it will *not* place such delimited certificates into either the /etc/ssl/certs/ directory (via symlinks) nor add them to the (re)generated certificates bundle file. Additionally it is incorrect for added certificates to be placed in the /usr/share/ca-certificates directory - this location is intended for standard/"official" certificates, the /usr/local/share/ca-certificates directory is intended for "local" or "site-specific" certificates and so this PR adds them there instead - for certs in /usr/local/share/ca-certificates the update-ca-certificates utility will automatically use them, there is *no* need to add their filenames to the /etc/ca-certificates.conf file. RHEL / Fedora: For RHEL (and Fedora which I have enabled in this PR) I believe the existing "remove_defaults" behaviour is also incorrect in deleting certificates files. However I have not been able to determine the correct functionality to disable them, therefore this PR generates an error if certificate deletion is activated for RHEL & Fedora. FreeBSD: This PR adds functionality for FreeBSD to add and delete/disable certificates. For "delete" functionality existing system certificates are moved to the blacklist directory in order to disable them. LP: #1599694, #1901915, #1931174 --- cloudinit/config/cc_ca_certs.py | 195 +++++++++++++------- tests/unittests/config/test_cc_ca_certs.py | 202 +++++++++------------ 2 files changed, 208 insertions(+), 189 deletions(-) diff --git a/cloudinit/config/cc_ca_certs.py b/cloudinit/config/cc_ca_certs.py index 302a67a4fd9..ef9a2d2b7f3 100644 --- a/cloudinit/config/cc_ca_certs.py +++ b/cloudinit/config/cc_ca_certs.py @@ -5,48 +5,76 @@ """CA Certs: Add ca certificates.""" import os +import shutil from logging import Logger from textwrap import dedent +from cloudinit import log as logging from cloudinit import subp, util from cloudinit.cloud import Cloud from cloudinit.config import Config from cloudinit.config.schema import MetaSchema, get_meta_doc from cloudinit.settings import PER_INSTANCE +LOG = logging.getLogger(__name__) + DEFAULT_CONFIG = { - "ca_cert_path": "/usr/share/ca-certificates/", - "ca_cert_filename": "cloud-init-ca-certs.crt", + "ca_cert_path": None, + "ca_cert_blacklist_path": None, + "ca_cert_local_path": "/usr/local/share/ca-certificates/", + "ca_cert_filename": "cloud-init-ca-cert-%(number)s.crt", "ca_cert_config": "/etc/ca-certificates.conf", - "ca_cert_system_path": "/etc/ssl/certs/", "ca_cert_update_cmd": ["update-ca-certificates"], } DISTRO_OVERRIDES = { + "fedora": { + "ca_cert_path": None, + "ca_cert_blacklist_path": None, + "ca_cert_local_path": "/usr/share/pki/ca-trust-source/anchors/", + "ca_cert_filename": "cloud-init-ca-cert-%(number)s.crt", + "ca_cert_config": None, + "ca_cert_update_cmd": ["update-ca-trust"], + }, + "freebsd": { + "ca_cert_path": "/usr/share/certs/trusted/", + "ca_cert_blacklist_path": "/usr/share/certs/blacklisted/", + "ca_cert_local_path": "/usr/local/share/certs/", + "ca_cert_filename": "cloud-init-ca-cert-%(number)s.crt", + "ca_cert_config": None, + "ca_cert_update_cmd": ["certctl", "rehash"], + }, "rhel": { - "ca_cert_path": "/usr/share/pki/ca-trust-source/", - "ca_cert_filename": "anchors/cloud-init-ca-certs.crt", + "ca_cert_path": None, + "ca_cert_blacklist_path": None, + "ca_cert_local_path": "/usr/share/pki/ca-trust-source/anchors/", + "ca_cert_filename": "cloud-init-ca-cert-%(number)s.crt", "ca_cert_config": None, - "ca_cert_system_path": "/etc/pki/ca-trust/", "ca_cert_update_cmd": ["update-ca-trust"], - } + }, } MODULE_DESCRIPTION = """\ -This module adds CA certificates to ``/etc/ca-certificates.conf`` and updates -the ssl cert cache using ``update-ca-certificates``. The default certificates -can be removed from the system with the configuration option -``remove_defaults``. +This module adds CA certificates to the system's OpenSSL CA directory and +updates the OpenSSL CA cache using the appropriate OS-specific utility. The +default CA certificates can be disabled from use by the system/OpenSSL with +the configuration option ``remove_defaults``. .. note:: certificates must be specified using valid yaml. in order to specify a multiline certificate, the yaml multiline list syntax must be used .. note:: - For Alpine Linux the "remove_defaults" functionality works if the - ca-certificates package is installed but not if the - ca-certificates-bundle package is installed. + Alpine Linux requires the ca-certificates package to be installed in + order to provide the ``update-ca-certificates`` command. This module + will not work as expected if only the ca-certificates-bundle package is + installed. + +.. note:: + For RHEL and Fedora this module currently only support adding + certificates, there is no support for disabling/deleting the standard + system CA certificates. """ -distros = ["alpine", "debian", "ubuntu", "rhel"] +distros = ["alpine", "debian", "fedora", "freebsd", "rhel", "ubuntu"] meta: MetaSchema = { "id": "cc_ca_certs", @@ -79,11 +107,11 @@ def _distro_ca_certs_configs(distro_name): """Return a distro-specific ca_certs config dictionary @param distro_name: String providing the distro class name. - @returns: Dict of distro configurations for ca-cert. + @returns: Dict of distro configurations for ca_cert. """ cfg = DISTRO_OVERRIDES.get(distro_name, DEFAULT_CONFIG) cfg["ca_cert_full_path"] = os.path.join( - cfg["ca_cert_path"], cfg["ca_cert_filename"] + cfg["ca_cert_local_path"], cfg["ca_cert_filename"] ) return cfg @@ -107,88 +135,108 @@ def add_ca_certs(distro_cfg, certs): """ if not certs: return - # First ensure they are strings... - cert_file_contents = "\n".join([str(c) for c in certs]) - util.write_file( - distro_cfg["ca_cert_full_path"], cert_file_contents, mode=0o644 - ) - update_cert_config(distro_cfg) + # Write each certificate to a separate file, maximum 99 certificates. + cert_number = 0 + for c in certs: + # First ensure they are strings... + cert_file_contents = str(c) + cert_number += 1 + if cert_number == 100: + LOG.error( + "100+ certificates specified, ignoring more than the 1st" + " 99 certs." + ) + return + + cert_file_name = distro_cfg["ca_cert_full_path"] % { + "number": str(cert_number).zfill(2) + } + util.write_file(cert_file_name, cert_file_contents, mode=0o644) + + +def disable_default_ca_certs(distro_name, distro_cfg): + """ + Disables all default trusted CA certificates. To actually apply the + changes you must also call L{update_ca_certs}. + + @param distro_name: String providing the distro class name. + @param distro_cfg: A hash providing _distro_ca_certs_configs function. + """ + if distro_name == "freebsd": + move_freebsd_ca_certs_to_blacklist_dir(distro_cfg) + elif distro_name in ["alpine", "debian", "ubuntu"]: + disable_system_ca_certs(distro_cfg) + if distro_name in ["debian", "ubuntu"]: + debconf_sel = ( + "ca-certificates ca-certificates/trust_new_crts " + "select no" + ) + subp.subp(("debconf-set-selections", "-"), debconf_sel) -def update_cert_config(distro_cfg): + +def disable_system_ca_certs(distro_cfg): """ - Update Certificate config file to add the file path managed cloud-init + For every entry in the CA_CERT_CONFIG file prefix the entry with a "!" + in order to disable it. @param distro_cfg: A hash providing _distro_ca_certs_configs function. """ if distro_cfg["ca_cert_config"] is None: return - if os.stat(distro_cfg["ca_cert_config"]).st_size == 0: - # If the CA_CERT_CONFIG file is empty (i.e. all existing - # CA certs have been deleted) then simply output a single - # line with the cloud-init cert filename. - out = "%s\n" % distro_cfg["ca_cert_filename"] - else: - # Append cert filename to CA_CERT_CONFIG file. - # We have to strip the content because blank lines in the file - # causes subsequent entries to be ignored. (LP: #1077020) + if os.stat(distro_cfg["ca_cert_config"]).st_size != 0: orig = util.load_file(distro_cfg["ca_cert_config"]) - cr_cont = "\n".join( - [ - line - for line in orig.splitlines() - if line != distro_cfg["ca_cert_filename"] - ] - ) - out = "%s\n%s\n" % (cr_cont.rstrip(), distro_cfg["ca_cert_filename"]) + out = "" + for line in orig.splitlines(): + if line.startswith("#") or line == "": + out += line + "\n" + else: + out += "!" + line + "\n" util.write_file(distro_cfg["ca_cert_config"], out, omode="wb") -def remove_default_ca_certs(distro_name, distro_cfg): +def move_freebsd_ca_certs_to_blacklist_dir(distro_cfg): """ - Removes all default trusted CA certificates from the system. To actually - apply the change you must also call L{update_ca_certs}. + For every file in the CA_CERT_PATH directory move it to the + CA_CERT_BLACKLIST_DIR in order to disable it. - @param distro_name: String providing the distro class name. @param distro_cfg: A hash providing _distro_ca_certs_configs function. """ - util.delete_dir_contents(distro_cfg["ca_cert_path"]) - util.delete_dir_contents(distro_cfg["ca_cert_system_path"]) - util.write_file(distro_cfg["ca_cert_config"], "", mode=0o644) - - if distro_name in ["debian", "ubuntu"]: - debconf_sel = ( - "ca-certificates ca-certificates/trust_new_crts " + "select no" - ) - subp.subp(("debconf-set-selections", "-"), debconf_sel) + if ( + distro_cfg["ca_cert_config"] is None + or distro_cfg["ca_cert_blacklist_path"] is None + ): + return + LOG.debug("Moving system CA certificates to blacklist directory") + shutil.move( + distro_cfg["ca_cert_path"], distro_cfg["ca_cert_blacklist_path"]) def handle( name: str, cfg: Config, cloud: Cloud, log: Logger, args: list ) -> None: """ - Call to handle ca-cert sections in cloud-config file. + Call to handle ca_cert sections in cloud-config file. - @param name: The module name "ca-cert" from cloud.cfg + @param name: The module name "ca_cert" from cloud.cfg @param cfg: A nested dict containing the entire cloud config contents. @param cloud: The L{CloudInit} object in use. @param log: Pre-initialized Python logger object to use for logging. @param args: Any module arguments from cloud.cfg """ if "ca-certs" in cfg: - log.warning( + LOG.warning( "DEPRECATION: key 'ca-certs' is now deprecated. Use 'ca_certs'" " instead." ) elif "ca_certs" not in cfg: - log.debug( + LOG.debug( "Skipping module named %s, no 'ca_certs' key in configuration", name, ) return if "ca-certs" in cfg and "ca_certs" in cfg: - log.warning( + LOG.warning( "Found both ca-certs (deprecated) and ca_certs config keys." " Ignoring ca-certs." ) @@ -198,26 +246,37 @@ def handle( # If there is a remove_defaults option set to true, remove the system # default trusted CA certs first. if "remove-defaults" in ca_cert_cfg: - log.warning( + LOG.warning( "DEPRECATION: key 'ca-certs.remove-defaults' is now deprecated." " Use 'ca_certs.remove_defaults' instead." ) - if ca_cert_cfg.get("remove-defaults", False): - log.debug("Removing default certificates") - remove_default_ca_certs(cloud.distro.name, distro_cfg) + if cloud.distro.name in ["fedora", "rhel"]: + LOG.error( + "Disabling default certificates is not supported for" + " this distro." + ) + elif ca_cert_cfg.get("remove-defaults", False): + LOG.debug("Disabling default certificates") + disable_default_ca_certs(cloud.distro.name, distro_cfg) elif ca_cert_cfg.get("remove_defaults", False): - log.debug("Removing default certificates") - remove_default_ca_certs(cloud.distro.name, distro_cfg) + if cloud.distro.name in ["fedora", "rhel"]: + LOG.error( + "Disabling default certificates is not supported for" + " this distro." + ) + else: + LOG.debug("Disabling default certificates") + disable_default_ca_certs(cloud.distro.name, distro_cfg) # If we are given any new trusted CA certs to add, add them. if "trusted" in ca_cert_cfg: trusted_certs = util.get_cfg_option_list(ca_cert_cfg, "trusted") if trusted_certs: - log.debug("Adding %d certificates" % len(trusted_certs)) + LOG.debug("Adding %d certificates" % len(trusted_certs)) add_ca_certs(distro_cfg, trusted_certs) # Update the system with the new cert configuration. - log.debug("Updating certificates") + LOG.debug("Updating certificates") update_ca_certs(distro_cfg) diff --git a/tests/unittests/config/test_cc_ca_certs.py b/tests/unittests/config/test_cc_ca_certs.py index a0b402acda6..ff3c13f6754 100644 --- a/tests/unittests/config/test_cc_ca_certs.py +++ b/tests/unittests/config/test_cc_ca_certs.py @@ -62,7 +62,7 @@ def _fetch_distro(self, kind): paths = helpers.Paths({}) return cls(kind, {}, paths) - def _mock_init(self): + def _mock_init(self, distro_name): self.mocks = ExitStack() self.addCleanup(self.mocks.close) @@ -70,22 +70,27 @@ def _mock_init(self): self.mock_add = self.mocks.enter_context( mock.patch.object(cc_ca_certs, "add_ca_certs") ) + self.mock_remove = self.mocks.enter_context( + mock.patch.object(cc_ca_certs, "disable_default_ca_certs") + ) self.mock_update = self.mocks.enter_context( mock.patch.object(cc_ca_certs, "update_ca_certs") ) - self.mock_remove = self.mocks.enter_context( - mock.patch.object(cc_ca_certs, "remove_default_ca_certs") - ) + if distro_name == "freebsd": + mock.patch( + "cloudinit.distros.networking.subp.subp", + return_value=("", None), + ) def test_no_trusted_list(self): """ Test that no certificates are written if the 'trusted' key is not present. """ - config = {"ca-certs": {}} + config = {"ca_certs": {}} for distro_name in cc_ca_certs.distros: - self._mock_init() + self._mock_init(distro_name) cloud = get_cloud(distro_name) cc_ca_certs.handle(self.name, config, cloud, self.log, self.args) @@ -95,10 +100,10 @@ def test_no_trusted_list(self): def test_empty_trusted_list(self): """Test that no certificate are written if 'trusted' list is empty.""" - config = {"ca-certs": {"trusted": []}} + config = {"ca_certs": {"trusted": []}} for distro_name in cc_ca_certs.distros: - self._mock_init() + self._mock_init(distro_name) cloud = get_cloud(distro_name) cc_ca_certs.handle(self.name, config, cloud, self.log, self.args) @@ -108,10 +113,10 @@ def test_empty_trusted_list(self): def test_single_trusted(self): """Test that a single cert gets passed to add_ca_certs.""" - config = {"ca-certs": {"trusted": ["CERT1"]}} + config = {"ca_certs": {"trusted": ["CERT1"]}} for distro_name in cc_ca_certs.distros: - self._mock_init() + self._mock_init(distro_name) cloud = get_cloud(distro_name) conf = cc_ca_certs._distro_ca_certs_configs(distro_name) cc_ca_certs.handle(self.name, config, cloud, self.log, self.args) @@ -122,10 +127,10 @@ def test_single_trusted(self): def test_multiple_trusted(self): """Test that multiple certs get passed to add_ca_certs.""" - config = {"ca-certs": {"trusted": ["CERT1", "CERT2"]}} + config = {"ca_certs": {"trusted": ["CERT1", "CERT2"]}} for distro_name in cc_ca_certs.distros: - self._mock_init() + self._mock_init(distro_name) cloud = get_cloud(distro_name) conf = cc_ca_certs._distro_ca_certs_configs(distro_name) cc_ca_certs.handle(self.name, config, cloud, self.log, self.args) @@ -139,20 +144,23 @@ def test_remove_default_ca_certs(self): config = {"ca_certs": {"remove_defaults": True}} for distro_name in cc_ca_certs.distros: - self._mock_init() + self._mock_init(distro_name) cloud = get_cloud(distro_name) cc_ca_certs.handle(self.name, config, cloud, self.log, self.args) self.assertEqual(self.mock_add.call_count, 0) self.assertEqual(self.mock_update.call_count, 1) - self.assertEqual(self.mock_remove.call_count, 1) + if distro_name in ["fedora", "rhel"]: + self.assertEqual(self.mock_remove.call_count, 0) + else: + self.assertEqual(self.mock_remove.call_count, 1) def test_no_remove_defaults_if_false(self): """Test remove_defaults is not called when config value is False.""" config = {"ca_certs": {"remove_defaults": False}} for distro_name in cc_ca_certs.distros: - self._mock_init() + self._mock_init(distro_name) cloud = get_cloud(distro_name) cc_ca_certs.handle(self.name, config, cloud, self.log, self.args) @@ -165,14 +173,17 @@ def test_correct_order_for_remove_then_add(self): config = {"ca_certs": {"remove_defaults": True, "trusted": ["CERT1"]}} for distro_name in cc_ca_certs.distros: - self._mock_init() + self._mock_init(distro_name) cloud = get_cloud(distro_name) conf = cc_ca_certs._distro_ca_certs_configs(distro_name) cc_ca_certs.handle(self.name, config, cloud, self.log, self.args) + if distro_name in ["fedora", "rhel"]: + self.assertEqual(self.mock_remove.call_count, 0) + else: + self.assertEqual(self.mock_remove.call_count, 1) self.mock_add.assert_called_once_with(conf, ["CERT1"]) self.assertEqual(self.mock_update.call_count, 1) - self.assertEqual(self.mock_remove.call_count, 1) class TestAddCaCerts(TestCase): @@ -205,9 +216,6 @@ def test_single_cert_trailing_cr(self): when existing ca-certificates has trailing newline""" cert = "CERT1\nLINE2\nLINE3" - ca_certs_content = "line1\nline2\ncloud-init-ca-certs.crt\nline3\n" - expected = "line1\nline2\nline3\ncloud-init-ca-certs.crt\n" - self.m_stat.return_value.st_size = 1 for distro_name in cc_ca_certs.distros: @@ -217,34 +225,24 @@ def test_single_cert_trailing_cr(self): mock_write = mocks.enter_context( mock.patch.object(util, "write_file") ) - mock_load = mocks.enter_context( - mock.patch.object( - util, "load_file", return_value=ca_certs_content - ) - ) cc_ca_certs.add_ca_certs(conf, [cert]) mock_write.assert_has_calls( - [mock.call(conf["ca_cert_full_path"], cert, mode=0o644)] + [ + mock.call( + conf["ca_cert_full_path"] % {"number": "01"}, + cert, + mode=0o644, + ) + ] ) - if conf["ca_cert_config"] is not None: - mock_write.assert_has_calls( - [ - mock.call( - conf["ca_cert_config"], expected, omode="wb" - ) - ] - ) - mock_load.assert_called_once_with(conf["ca_cert_config"]) def test_single_cert_no_trailing_cr(self): """Test adding a single certificate to the trusted CAs when existing ca-certificates has no trailing newline""" cert = "CERT1\nLINE2\nLINE3" - ca_certs_content = "line1\nline2\nline3" - self.m_stat.return_value.st_size = 1 for distro_name in cc_ca_certs.distros: @@ -254,65 +252,24 @@ def test_single_cert_no_trailing_cr(self): mock_write = mocks.enter_context( mock.patch.object(util, "write_file") ) - mock_load = mocks.enter_context( - mock.patch.object( - util, "load_file", return_value=ca_certs_content - ) - ) cc_ca_certs.add_ca_certs(conf, [cert]) mock_write.assert_has_calls( - [mock.call(conf["ca_cert_full_path"], cert, mode=0o644)] - ) - if conf["ca_cert_config"] is not None: - mock_write.assert_has_calls( - [ - mock.call( - conf["ca_cert_config"], - "%s\n%s\n" - % (ca_certs_content, conf["ca_cert_filename"]), - omode="wb", - ) - ] - ) - - mock_load.assert_called_once_with(conf["ca_cert_config"]) - - def test_single_cert_to_empty_existing_ca_file(self): - """Test adding a single certificate to the trusted CAs - when existing ca-certificates.conf is empty""" - cert = "CERT1\nLINE2\nLINE3" - - expected = "cloud-init-ca-certs.crt\n" - - self.m_stat.return_value.st_size = 0 - - for distro_name in cc_ca_certs.distros: - conf = cc_ca_certs._distro_ca_certs_configs(distro_name) - with mock.patch.object( - util, "write_file", autospec=True - ) as m_write: - - cc_ca_certs.add_ca_certs(conf, [cert]) - - m_write.assert_has_calls( - [mock.call(conf["ca_cert_full_path"], cert, mode=0o644)] + [ + mock.call( + conf["ca_cert_full_path"] % {"number": "01"}, + cert, + mode=0o644, + ) + ] ) - if conf["ca_cert_config"] is not None: - m_write.assert_has_calls( - [ - mock.call( - conf["ca_cert_config"], expected, omode="wb" - ) - ] - ) def test_multiple_certs(self): """Test adding multiple certificates to the trusted CAs.""" certs = ["CERT1\nLINE2\nLINE3", "CERT2\nLINE2\nLINE3"] - expected_cert_file = "\n".join(certs) - ca_certs_content = "line1\nline2\nline3" + expected_cert_1_file = certs[0] + expected_cert_2_file = certs[1] self.m_stat.return_value.st_size = 1 @@ -323,36 +280,23 @@ def test_multiple_certs(self): mock_write = mocks.enter_context( mock.patch.object(util, "write_file") ) - mock_load = mocks.enter_context( - mock.patch.object( - util, "load_file", return_value=ca_certs_content - ) - ) cc_ca_certs.add_ca_certs(conf, certs) mock_write.assert_has_calls( [ mock.call( - conf["ca_cert_full_path"], - expected_cert_file, + conf["ca_cert_full_path"] % {"number": "01"}, + expected_cert_1_file, mode=0o644, - ) + ), + mock.call( + conf["ca_cert_full_path"] % {"number": "02"}, + expected_cert_2_file, + mode=0o644, + ), ] ) - if conf["ca_cert_config"] is not None: - mock_write.assert_has_calls( - [ - mock.call( - conf["ca_cert_config"], - "%s\n%s\n" - % (ca_certs_content, conf["ca_cert_filename"]), - omode="wb", - ) - ] - ) - - mock_load.assert_called_once_with(conf["ca_cert_config"]) class TestUpdateCaCerts(unittest.TestCase): @@ -378,32 +322,48 @@ def setUp(self): ) def test_commands(self): + ca_certs_content = "# line1\nline2\nline3\n" + expected = "# line1\n!line2\n!line3\n" + for distro_name in cc_ca_certs.distros: conf = cc_ca_certs._distro_ca_certs_configs(distro_name) with ExitStack() as mocks: - mock_delete = mocks.enter_context( - mock.patch.object(util, "delete_dir_contents") + mock_load = mocks.enter_context( + mock.patch.object( + util, + "load_file", + return_value=ca_certs_content + ) ) - mock_write = mocks.enter_context( - mock.patch.object(util, "write_file") + mock_move = mocks.enter_context( + mock.patch.object(shutil, "move") ) mock_subp = mocks.enter_context( mock.patch.object(subp, "subp") ) + mock_write = mocks.enter_context( + mock.patch.object(util, "write_file") + ) - cc_ca_certs.remove_default_ca_certs(distro_name, conf) + cc_ca_certs.disable_default_ca_certs(distro_name, conf) - mock_delete.assert_has_calls( - [ - mock.call(conf["ca_cert_path"]), - mock.call(conf["ca_cert_system_path"]), - ] - ) + if distro_name in ["fedora", "rhel"]: + self.assertEqual(mock_move.call_count, 0) + elif distro_name == "freebsd": + mock_move.assert_has_calls( + [ + mock.call( + conf["ca_cert_path"], + conf["ca_cert_blacklist_path"] + ), + ] + ) - if conf["ca_cert_config"] is not None: + if distro_name in ["alpine", "debian", "ubuntu"]: + mock_load.assert_called_once_with(conf["ca_cert_config"]) mock_write.assert_called_once_with( - conf["ca_cert_config"], "", mode=0o644 + conf["ca_cert_config"], expected, omode="wb" ) if distro_name in ["debian", "ubuntu"]: