ca: Test OID migration

Since "ca: Do not use a 128bits OID arc for caucase internal use" new OIDs
are used, but the migration was not tested, so it's added here.

caucase/test.py

@@ -2871,6 +2871,96 @@ class CaucaseTest(unittest.TestCase):
     self.assertEqual(os.stat(self._server_db).st_mode & 0o777, 0o600)
     self.assertEqual(os.stat(self._server_key).st_mode & 0o777, 0o600)
 
+  def testOidMigration(self):
+    """Tests OID migration
+
+       Monkey patches caucase.utils in order to create user certificate
+       with previously used OID, then using original approach renews the
+       certificate and shows, that new OIDs are used
+    """
+    CAUCASE_LEGACY_POLICY_INFORMATION_AUTO_SIGNED = x509.PolicyInformation(
+      x509.oid.ObjectIdentifier(
+        # hardcode in order to avoid change of the original code
+        '2.25.285541874270823339875695650038637483517.0',
+      ),
+      [
+        x509.UserNotice(
+          None,
+          'Auto-signed caucase certificate',
+        ),
+      ]
+    )
+    self._stopServer()
+    # Monkey patch
+    pre_monkey_CAUCASE_POLICY_INFORMATION_AUTO_SIGNED = \
+      utils.CAUCASE_POLICY_INFORMATION_AUTO_SIGNED
+    def unMonkeyPatch():
+      """Removes monkey patch on utils"""
+      utils.CAUCASE_POLICY_INFORMATION_AUTO_SIGNED = \
+        pre_monkey_CAUCASE_POLICY_INFORMATION_AUTO_SIGNED
+    self.addCleanup(unMonkeyPatch)
+    utils.CAUCASE_POLICY_INFORMATION_AUTO_SIGNED = \
+      CAUCASE_LEGACY_POLICY_INFORMATION_AUTO_SIGNED
+    self._startServer()
+    # Get a user key pair
+    user_key_path = self._createFirstUser()
+    self._stopServer()
+    unMonkeyPatch()
+    cau_crt_list = [
+      utils.load_ca_certificate(x)
+      for x in utils.getCertList(self._client_user_ca_crt)
+    ]
+    # It must have been auto-signed
+    self.assertTrue(utils.isCertificateAutoSigned(utils.load_certificate(
+      # utils.getCert(user_key_path) does not raise anymore
+      utils.getCert(user_key_path),
+      cau_crt_list,
+      None,
+    )))
+    # Check content of auto-issued user certificate
+    user_crt = utils.load_certificate(
+      utils.getCert(user_key_path),
+      cau_crt_list,
+      None,
+    )
+    user_certificate_policies = user_crt.extensions.get_extension_for_class(
+      x509.CertificatePolicies,
+    )
+    # And now assert that old OID tree is used
+    self.assertEqual(
+      user_certificate_policies.value,
+      x509.CertificatePolicies([
+        CAUCASE_LEGACY_POLICY_INFORMATION_AUTO_SIGNED,
+      ]),
+    )
+    self.assertFalse(user_certificate_policies.critical)
+    self._startServer()
+    self._runClient(
+      # 100 days is longer than certificate life, so it will be immediately
+      # renewed.
+      '--mode', 'user',
+      '--threshold', '100',
+      '--renew-crt', user_key_path, '',
+    )
+    # Check content of auto-issued user certificate
+    user_crt = utils.load_certificate(
+      utils.getCert(user_key_path),
+      cau_crt_list,
+      None,
+    )
+    user_certificate_policies = user_crt.extensions.get_extension_for_class(
+      x509.CertificatePolicies,
+    )
+    # Assert that new OID is used, but use local information, in order
+    # to not trust unMonkeyPatching
+    self.assertEqual(
+      user_certificate_policies.value,
+      x509.CertificatePolicies([
+        pre_monkey_CAUCASE_POLICY_INFORMATION_AUTO_SIGNED,
+      ]),
+    )
+    self.assertFalse(user_certificate_policies.critical)
+
 for property_id, property_value in CaucaseTest.__dict__.iteritems():
   if property_id.startswith('test') and callable(property_value):
     setattr(CaucaseTest, property_id, print_buffer_on_error(property_value))