2016-09-08 17:29:46 -05:00
|
|
|
#
|
|
|
|
|
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
import os
|
|
|
|
|
import pytest
|
|
|
|
|
|
|
|
|
|
from ipaclient import csrgen
|
|
|
|
|
from ipalib import errors
|
|
|
|
|
|
|
|
|
|
BASE_DIR = os.path.dirname(__file__)
|
|
|
|
|
CSR_DATA_DIR = os.path.join(BASE_DIR, 'data', 'test_csrgen')
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.fixture
|
|
|
|
|
def formatter():
|
|
|
|
|
return csrgen.Formatter(csr_data_dir=CSR_DATA_DIR)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.fixture
|
|
|
|
|
def rule_provider():
|
|
|
|
|
return csrgen.FileRuleProvider(csr_data_dir=CSR_DATA_DIR)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.fixture
|
|
|
|
|
def generator():
|
|
|
|
|
return csrgen.CSRGenerator(csrgen.FileRuleProvider())
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class StubRuleProvider(csrgen.RuleProvider):
|
|
|
|
|
def __init__(self):
|
|
|
|
|
self.syntax_rule = csrgen.Rule(
|
|
|
|
|
'syntax', '{{datarules|join(",")}}', {})
|
|
|
|
|
self.data_rule = csrgen.Rule('data', 'data_template', {})
|
|
|
|
|
self.field_mapping = csrgen.FieldMapping(
|
|
|
|
|
'example', self.syntax_rule, [self.data_rule])
|
|
|
|
|
self.rules = [self.field_mapping]
|
|
|
|
|
|
2017-03-21 11:21:30 -05:00
|
|
|
def rules_for_profile(self, profile_id):
|
2016-09-08 17:29:46 -05:00
|
|
|
return self.rules
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class IdentityFormatter(csrgen.Formatter):
|
|
|
|
|
base_template_name = 'identity_base.tmpl'
|
|
|
|
|
|
|
|
|
|
def __init__(self):
|
|
|
|
|
super(IdentityFormatter, self).__init__(csr_data_dir=CSR_DATA_DIR)
|
|
|
|
|
|
|
|
|
|
def _get_template_params(self, syntax_rules):
|
|
|
|
|
return {'options': syntax_rules}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class test_Formatter(object):
|
|
|
|
|
def test_prepare_data_rule_with_data_source(self, formatter):
|
|
|
|
|
data_rule = csrgen.Rule('uid', '{{subject.uid.0}}',
|
|
|
|
|
{'data_source': 'subject.uid.0'})
|
|
|
|
|
prepared = formatter._prepare_data_rule(data_rule)
|
|
|
|
|
assert prepared == '{% if subject.uid.0 %}{{subject.uid.0}}{% endif %}'
|
|
|
|
|
|
|
|
|
|
def test_prepare_data_rule_no_data_source(self, formatter):
|
|
|
|
|
"""Not a normal case, but we should handle it anyway"""
|
|
|
|
|
data_rule = csrgen.Rule('uid', 'static_text', {})
|
|
|
|
|
prepared = formatter._prepare_data_rule(data_rule)
|
|
|
|
|
assert prepared == 'static_text'
|
|
|
|
|
|
|
|
|
|
def test_prepare_syntax_rule_with_data_sources(self, formatter):
|
|
|
|
|
syntax_rule = csrgen.Rule(
|
|
|
|
|
'example', '{{datarules|join(",")}}', {})
|
|
|
|
|
data_rules = ['{{subject.field1}}', '{{subject.field2}}']
|
|
|
|
|
data_sources = ['subject.field1', 'subject.field2']
|
|
|
|
|
prepared = formatter._prepare_syntax_rule(
|
|
|
|
|
syntax_rule, data_rules, 'example', data_sources)
|
|
|
|
|
|
|
|
|
|
assert prepared == (
|
|
|
|
|
'{% if subject.field1 or subject.field2 %}{{subject.field1}},'
|
|
|
|
|
'{{subject.field2}}{% endif %}')
|
|
|
|
|
|
|
|
|
|
def test_prepare_syntax_rule_with_combinator(self, formatter):
|
|
|
|
|
syntax_rule = csrgen.Rule('example', '{{datarules|join(",")}}',
|
|
|
|
|
{'data_source_combinator': 'and'})
|
|
|
|
|
data_rules = ['{{subject.field1}}', '{{subject.field2}}']
|
|
|
|
|
data_sources = ['subject.field1', 'subject.field2']
|
|
|
|
|
prepared = formatter._prepare_syntax_rule(
|
|
|
|
|
syntax_rule, data_rules, 'example', data_sources)
|
|
|
|
|
|
|
|
|
|
assert prepared == (
|
|
|
|
|
'{% if subject.field1 and subject.field2 %}{{subject.field1}},'
|
|
|
|
|
'{{subject.field2}}{% endif %}')
|
|
|
|
|
|
|
|
|
|
def test_prepare_syntax_rule_required(self, formatter):
|
|
|
|
|
syntax_rule = csrgen.Rule('example', '{{datarules|join(",")}}',
|
|
|
|
|
{'required': True})
|
|
|
|
|
data_rules = ['{{subject.field1}}']
|
|
|
|
|
data_sources = ['subject.field1']
|
|
|
|
|
prepared = formatter._prepare_syntax_rule(
|
|
|
|
|
syntax_rule, data_rules, 'example', data_sources)
|
|
|
|
|
|
|
|
|
|
assert prepared == (
|
|
|
|
|
'{% filter required("example") %}{% if subject.field1 %}'
|
|
|
|
|
'{{subject.field1}}{% endif %}{% endfilter %}')
|
|
|
|
|
|
|
|
|
|
def test_prepare_syntax_rule_passthrough(self, formatter):
|
|
|
|
|
"""
|
|
|
|
|
Calls to macros defined as passthrough are still call tags in the final
|
|
|
|
|
template.
|
|
|
|
|
"""
|
|
|
|
|
formatter._define_passthrough('example.macro')
|
|
|
|
|
|
|
|
|
|
syntax_rule = csrgen.Rule(
|
|
|
|
|
'example',
|
|
|
|
|
'{% call example.macro() %}{{datarules|join(",")}}{% endcall %}',
|
|
|
|
|
{})
|
|
|
|
|
data_rules = ['{{subject.field1}}']
|
|
|
|
|
data_sources = ['subject.field1']
|
|
|
|
|
prepared = formatter._prepare_syntax_rule(
|
|
|
|
|
syntax_rule, data_rules, 'example', data_sources)
|
|
|
|
|
|
|
|
|
|
assert prepared == (
|
|
|
|
|
'{% if subject.field1 %}{% call example.macro() %}'
|
|
|
|
|
'{{subject.field1}}{% endcall %}{% endif %}')
|
|
|
|
|
|
|
|
|
|
def test_prepare_syntax_rule_no_data_sources(self, formatter):
|
|
|
|
|
"""Not a normal case, but we should handle it anyway"""
|
|
|
|
|
syntax_rule = csrgen.Rule(
|
|
|
|
|
'example', '{{datarules|join(",")}}', {})
|
|
|
|
|
data_rules = ['rule1', 'rule2']
|
|
|
|
|
data_sources = []
|
|
|
|
|
prepared = formatter._prepare_syntax_rule(
|
|
|
|
|
syntax_rule, data_rules, 'example', data_sources)
|
|
|
|
|
|
|
|
|
|
assert prepared == 'rule1,rule2'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class test_FileRuleProvider(object):
|
|
|
|
|
def test_rule_basic(self, rule_provider):
|
|
|
|
|
rule_name = 'basic'
|
|
|
|
|
|
2017-03-21 11:21:30 -05:00
|
|
|
rule = rule_provider._rule(rule_name)
|
2016-09-08 17:29:46 -05:00
|
|
|
|
2017-03-21 11:21:30 -05:00
|
|
|
assert rule.template == 'openssl_rule'
|
2016-09-08 17:29:46 -05:00
|
|
|
|
|
|
|
|
def test_rule_global_options(self, rule_provider):
|
|
|
|
|
rule_name = 'options'
|
|
|
|
|
|
2017-03-21 11:21:30 -05:00
|
|
|
rule = rule_provider._rule(rule_name)
|
2016-09-08 17:29:46 -05:00
|
|
|
|
2017-03-21 11:21:30 -05:00
|
|
|
assert rule.options['rule_option'] is True
|
2016-09-08 17:29:46 -05:00
|
|
|
|
|
|
|
|
def test_rule_nosuchrule(self, rule_provider):
|
|
|
|
|
with pytest.raises(errors.NotFound):
|
2017-03-21 11:21:30 -05:00
|
|
|
rule_provider._rule('nosuchrule')
|
2016-09-08 17:29:46 -05:00
|
|
|
|
|
|
|
|
def test_rules_for_profile_success(self, rule_provider):
|
2017-03-21 11:21:30 -05:00
|
|
|
rules = rule_provider.rules_for_profile('profile')
|
2016-09-08 17:29:46 -05:00
|
|
|
|
|
|
|
|
assert len(rules) == 1
|
|
|
|
|
field_mapping = rules[0]
|
|
|
|
|
assert field_mapping.syntax_rule.name == 'basic'
|
|
|
|
|
assert len(field_mapping.data_rules) == 1
|
|
|
|
|
assert field_mapping.data_rules[0].name == 'options'
|
|
|
|
|
|
|
|
|
|
def test_rules_for_profile_nosuchprofile(self, rule_provider):
|
|
|
|
|
with pytest.raises(errors.NotFound):
|
2017-03-21 11:21:30 -05:00
|
|
|
rule_provider.rules_for_profile('nosuchprofile')
|
2016-09-08 17:29:46 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class test_CSRGenerator(object):
|
|
|
|
|
def test_userCert_OpenSSL(self, generator):
|
|
|
|
|
principal = {
|
|
|
|
|
'uid': ['testuser'],
|
|
|
|
|
'mail': ['testuser@example.com'],
|
|
|
|
|
}
|
|
|
|
|
config = {
|
|
|
|
|
'ipacertificatesubjectbase': [
|
|
|
|
|
'O=DOMAIN.EXAMPLE.COM'
|
|
|
|
|
],
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-21 16:23:46 -05:00
|
|
|
script = generator.csr_config(principal, config, 'userCert')
|
2016-09-08 17:29:46 -05:00
|
|
|
with open(os.path.join(
|
2017-03-21 11:21:30 -05:00
|
|
|
CSR_DATA_DIR, 'configs', 'userCert.conf')) as f:
|
2016-09-08 17:29:46 -05:00
|
|
|
expected_script = f.read()
|
|
|
|
|
assert script == expected_script
|
|
|
|
|
|
|
|
|
|
def test_caIPAserviceCert_OpenSSL(self, generator):
|
|
|
|
|
principal = {
|
|
|
|
|
'krbprincipalname': [
|
|
|
|
|
'HTTP/machine.example.com@DOMAIN.EXAMPLE.COM'
|
|
|
|
|
],
|
|
|
|
|
}
|
|
|
|
|
config = {
|
|
|
|
|
'ipacertificatesubjectbase': [
|
|
|
|
|
'O=DOMAIN.EXAMPLE.COM'
|
|
|
|
|
],
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-21 16:23:46 -05:00
|
|
|
script = generator.csr_config(
|
2017-03-21 11:21:30 -05:00
|
|
|
principal, config, 'caIPAserviceCert')
|
2016-09-08 17:29:46 -05:00
|
|
|
with open(os.path.join(
|
2017-03-21 11:21:30 -05:00
|
|
|
CSR_DATA_DIR, 'configs', 'caIPAserviceCert.conf')) as f:
|
2016-09-08 17:29:46 -05:00
|
|
|
expected_script = f.read()
|
|
|
|
|
assert script == expected_script
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class test_rule_handling(object):
|
|
|
|
|
def test_optionalAttributeMissing(self, generator):
|
|
|
|
|
principal = {'uid': 'testuser'}
|
|
|
|
|
rule_provider = StubRuleProvider()
|
|
|
|
|
rule_provider.data_rule.template = '{{subject.mail}}'
|
|
|
|
|
rule_provider.data_rule.options = {'data_source': 'subject.mail'}
|
2017-03-21 11:21:30 -05:00
|
|
|
generator = csrgen.CSRGenerator(
|
|
|
|
|
rule_provider, formatter_class=IdentityFormatter)
|
2016-09-08 17:29:46 -05:00
|
|
|
|
2017-03-21 16:23:46 -05:00
|
|
|
script = generator.csr_config(
|
2017-03-21 11:21:30 -05:00
|
|
|
principal, {}, 'example')
|
2016-09-08 17:29:46 -05:00
|
|
|
assert script == '\n'
|
|
|
|
|
|
|
|
|
|
def test_twoDataRulesOneMissing(self, generator):
|
|
|
|
|
principal = {'uid': 'testuser'}
|
|
|
|
|
rule_provider = StubRuleProvider()
|
|
|
|
|
rule_provider.data_rule.template = '{{subject.mail}}'
|
|
|
|
|
rule_provider.data_rule.options = {'data_source': 'subject.mail'}
|
|
|
|
|
rule_provider.field_mapping.data_rules.append(csrgen.Rule(
|
|
|
|
|
'data2', '{{subject.uid}}', {'data_source': 'subject.uid'}))
|
2017-03-21 11:21:30 -05:00
|
|
|
generator = csrgen.CSRGenerator(
|
|
|
|
|
rule_provider, formatter_class=IdentityFormatter)
|
2016-09-08 17:29:46 -05:00
|
|
|
|
2017-03-21 16:23:46 -05:00
|
|
|
script = generator.csr_config(principal, {}, 'example')
|
2016-09-08 17:29:46 -05:00
|
|
|
assert script == ',testuser\n'
|
|
|
|
|
|
|
|
|
|
def test_requiredAttributeMissing(self):
|
|
|
|
|
principal = {'uid': 'testuser'}
|
|
|
|
|
rule_provider = StubRuleProvider()
|
|
|
|
|
rule_provider.data_rule.template = '{{subject.mail}}'
|
|
|
|
|
rule_provider.data_rule.options = {'data_source': 'subject.mail'}
|
|
|
|
|
rule_provider.syntax_rule.options = {'required': True}
|
2017-03-21 11:21:30 -05:00
|
|
|
generator = csrgen.CSRGenerator(
|
|
|
|
|
rule_provider, formatter_class=IdentityFormatter)
|
2016-09-08 17:29:46 -05:00
|
|
|
|
|
|
|
|
with pytest.raises(errors.CSRTemplateError):
|
2017-03-21 16:23:46 -05:00
|
|
|
_script = generator.csr_config(
|
2017-03-21 11:21:30 -05:00
|
|
|
principal, {}, 'example')
|
