Fixup import of certificates

schaefi · schaefi · commit 58bd8950c056 · 2026-03-16T13:27:01.000+01:00
Only import if the file exists and is not a directory. We still assume that the file content of the pki trust directories matches certificates and not random non certificate files. This is realted to #202
diff --git a/suse_migration_services/units/prepare.py b/suse_migration_services/units/prepare.py
@@ -95,11 +95,12 @@ def perform(self):
                         cert_file = os.sep.join([root_trust_anchor, cert])
                         if os.path.islink(cert_file):
                             cert_file = os.sep.join([self.root_path, os.readlink(cert_file)])
-                        self.log.info('Importing certificate: %s', cert_file)
-                        try:
-                            shutil.copy(cert_file, trust_anchor)
-                        except FileNotFoundError as issue:
-                            self.log.warning('Import of {} failed with {}'.format(cert_file, issue))
+                        if os.path.exists(cert_file) and not os.path.isdir(cert_file):
+                            self.log.info('Importing certificate: {}'.format(cert_file))
+                            try:
+                                shutil.copy(cert_file, trust_anchor)
+                            except FileNotFoundError as issue:
+                                self.log.warning('Import of {} failed with {}'.format(cert_file, issue))
                     self.log.info('Update certificate pool')
                     Command.run(['update-ca-certificates'])
 
diff --git a/test/unit/units/prepare_test.py b/test/unit/units/prepare_test.py
@@ -209,17 +209,32 @@ def test_main(
         mock_logger_setup,
         mock_update_regionsrv_setup,
     ):
+        def isdir_side_effect(path):
+            if path == '/system-root/usr/share/pki/trust/anchors/foo':
+                return False
+            elif path == '/system-root/usr/share/pki/trust/anchors/bar':
+                return False
+            elif path == '/system-root/etc/pki/trust/anchors/foo':
+                return False
+            elif path == '/system-root/link_target':
+                return False
+            return True
+
+        def exists_side_effect(path):
+            if path == '/var/log/zypper.log':
+                return False
+            return True
 
         mock_readlink.return_value = 'link_target'
-        mock_path_isdir.side_effect = [True, True, True, True]
+        mock_path_isdir.side_effect = isdir_side_effect
         migration_config = Mock()
         migration_config.is_zypper_migration_plugin_requested.return_value = True
         mock_MigrationConfig.return_value = migration_config
         fstab = Mock()
         mock_Fstab.return_value = fstab
         mock_os_listdir.side_effect = [['foo', 'bar'], ['foo', 'bar'], ['fooSMT'], ['fooSMT']]
         mock_os_path_islink.side_effect = [False, False, False, True]
-        mock_os_path_exists.side_effect = [True, True, True, True, False, True, True, True]
+        mock_os_path_exists.side_effect = exists_side_effect
         mock_is_registered.return_value = True
         mock_Command_run.side_effect = [
             MagicMock(),
