IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
35521ad6bb92057d5faefa2059d7d800bebb1af0
freeipa/tests/test_xmlrpc/test_cert.py

180 lines
6.0 KiB
Python
Raw Normal View History

Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 13:59:11 +01:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 13:59:11 +01:00
# along with this program. If not, see <http://www.gnu.org/licenses/>.
Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
"""
Test the `ipalib/plugins/cert.py` module against the selfsign plugin.
"""
import sys
Fix the cert plugin tests These tests rely on the existence of a backend CA. It is easiest to test with a self-signed CA in ~/.ipa so that is what I documented. These tests are skipped if no CA is available. Improved robustness a bit by putting the cleanup as a separate test.
2010-01-28 16:11:01 -05:00
import os
Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
import shutil
from xmlrpc_test import XMLRPC_test, assert_attr_equal
from ipalib import api
from ipalib import errors
import tempfile
from ipapython import ipautil
Take 2: Extensible return values and validation; steps toward a single output_for_cli(); enable more webUI stuff
2009-12-09 09:09:53 -07:00
import nose
Add test to ensure that a certificate we issue is actually stored properly.
2010-07-12 17:15:58 -04:00
import base64
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
from ipalib.dn import *
Add test to ensure that a certificate we issue is actually stored properly.
2010-07-12 17:15:58 -04:00
# So we can save the cert from issuance and compare it later
cert = None
Fix replacing a certificate in a service. When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
2010-07-22 16:08:17 -04:00
newcert = None
Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
Fix the cert plugin tests These tests rely on the existence of a backend CA. It is easiest to test with a self-signed CA in ~/.ipa so that is what I documented. These tests are skipped if no CA is available. Improved robustness a bit by putting the cleanup as a separate test.
2010-01-28 16:11:01 -05:00
# Test setup
#
# This test needs a configured CA behind it in order to work properly
# It currently specifically tests for a self-signed CA but there is no
# reason the test wouldn't work with a dogtag CA as well with some
# additional work. This will change when selfsign is no longer the default CA.
#
# To set it up grab the 3 NSS db files from a self-signed CA from
# /etc/httpd/alias to ~/.ipa/alias. Copy /etc/httpd/alias/pwdfile.txt to
# ~/.ipa/alias/.pwd. Change ownership of these files too. That should do it.
Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
class test_cert(XMLRPC_test):
def run_certutil(self, args, stdin=None):
new_args = ["/usr/bin/certutil", "-d", self.reqdir]
new_args = new_args + args
return ipautil.run(new_args, stdin)
def setUp(self):
Take 2: Extensible return values and validation; steps toward a single output_for_cli(); enable more webUI stuff
2009-12-09 09:09:53 -07:00
if 'cert_request' not in api.Command:
raise nose.SkipTest('cert_request not registered')
Fix the cert plugin tests These tests rely on the existence of a backend CA. It is easiest to test with a self-signed CA in ~/.ipa so that is what I documented. These tests are skipped if no CA is available. Improved robustness a bit by putting the cleanup as a separate test.
2010-01-28 16:11:01 -05:00
if not ipautil.file_exists(api.env.dot_ipa + os.sep + 'alias' + os.sep + '.pwd'):
raise nose.SkipTest('developer self-signed CA not configured')
Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
super(test_cert, self).setUp()
self.reqdir = tempfile.mkdtemp(prefix = "tmp-")
self.reqfile = self.reqdir + "/test.csr"
self.pwname = self.reqdir + "/pwd"
# Create an empty password file
fp = open(self.pwname, "w")
fp.write("\n")
fp.close()
# Create our temporary NSS database
self.run_certutil(["-N", "-f", self.pwname])
def tearDown(self):
super(test_cert, self).tearDown()
shutil.rmtree(self.reqdir, ignore_errors=True)
def generateCSR(self, subject):
self.run_certutil(["-R", "-s", subject,
"-o", self.reqfile,
"-z", "/etc/group",
"-f", self.pwname,
"-a",
])
fp = open(self.reqfile, "r")
data = fp.read()
fp.close()
return data
"""
Test the `cert` plugin.
"""
host_fqdn = u'ipatestcert.%s' % api.env.domain
service_princ = u'test/%s@%s' % (host_fqdn, api.env.realm)
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
subject = DN(('CN',host_fqdn),('O',api.env.realm))
Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
def test_1_cert_add(self):
"""
Test the `xmlrpc.cert_request` method without --add.
This should fail because the service principal doesn't exist
"""
# First create the host that will use this policy
Require that hosts be resolvable in DNS. Use --force to ignore warnings. This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
2010-07-22 14:16:22 -04:00
res = api.Command['host_add'](self.host_fqdn, force= True)['result']
Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
csr = unicode(self.generateCSR(str(self.subject)))
Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
try:
Fix the cert plugin tests These tests rely on the existence of a backend CA. It is easiest to test with a self-signed CA in ~/.ipa so that is what I documented. These tests are skipped if no CA is available. Improved robustness a bit by putting the cleanup as a separate test.
2010-01-28 16:11:01 -05:00
res = api.Command['cert_request'](csr, principal=self.service_princ)
Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
assert False
except errors.NotFound:
pass
def test_2_cert_add(self):
"""
Test the `xmlrpc.cert_request` method with --add.
"""
# Our host should exist from previous test
Add test to ensure that a certificate we issue is actually stored properly.
2010-07-12 17:15:58 -04:00
global cert
Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
csr = unicode(self.generateCSR(str(self.subject)))
Fix the cert plugin tests These tests rely on the existence of a backend CA. It is easiest to test with a self-signed CA in ~/.ipa so that is what I documented. These tests are skipped if no CA is available. Improved robustness a bit by putting the cleanup as a separate test.
2010-01-28 16:11:01 -05:00
res = api.Command['cert_request'](csr, principal=self.service_princ, add=True)['result']
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
assert DN(res['subject']) == self.subject
Add test to ensure that a certificate we issue is actually stored properly.
2010-07-12 17:15:58 -04:00
# save the cert for the service_show/find tests
cert = res['certificate']
def test_3_service_show(self):
"""
Fix replacing a certificate in a service. When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
2010-07-22 16:08:17 -04:00
Verify that service-show has the right certificate using service-show.
Add test to ensure that a certificate we issue is actually stored properly.
2010-07-12 17:15:58 -04:00
"""
global cert
res = api.Command['service_show'](self.service_princ)['result']
assert base64.b64encode(res['usercertificate'][0]) == cert
Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
Add test to ensure that a certificate we issue is actually stored properly.
2010-07-12 17:15:58 -04:00
def test_4_service_find(self):
"""
Fix replacing a certificate in a service. When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
2010-07-22 16:08:17 -04:00
Verify that service-find has the right certificate using service-find.
Add test to ensure that a certificate we issue is actually stored properly.
2010-07-12 17:15:58 -04:00
"""
global cert
# Assume there is only one service
res = api.Command['service_find'](self.service_princ)['result']
assert base64.b64encode(res[0]['usercertificate'][0]) == cert
Fix the cert plugin tests These tests rely on the existence of a backend CA. It is easiest to test with a self-signed CA in ~/.ipa so that is what I documented. These tests are skipped if no CA is available. Improved robustness a bit by putting the cleanup as a separate test.
2010-01-28 16:11:01 -05:00
Fix replacing a certificate in a service. When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
2010-07-22 16:08:17 -04:00
def test_5_cert_renew(self):
"""
Issue a new certificate for a service
"""
global newcert
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
csr = unicode(self.generateCSR(str(self.subject)))
Fix replacing a certificate in a service. When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
2010-07-22 16:08:17 -04:00
res = api.Command['cert_request'](csr, principal=self.service_princ)['result']
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
assert DN(res['subject']) == self.subject
Fix replacing a certificate in a service. When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
2010-07-22 16:08:17 -04:00
# save the cert for the service_show/find tests
newcert = res['certificate']
def test_6_service_show(self):
"""
Verify the new certificate with service-show.
"""
global cert, newcert
res = api.Command['service_show'](self.service_princ)['result']
# It should no longer match our old cert
assert base64.b64encode(res['usercertificate'][0]) != cert
# And it should match the new one
assert base64.b64encode(res['usercertificate'][0]) == newcert
def test_7_cleanup(self):
Add test to ensure that a certificate we issue is actually stored properly.
2010-07-12 17:15:58 -04:00
"""
Clean up cert test data
"""
Add minimal test for the cert plugin This assumes that the developer has the equivalent of a selfsign CA installed. To do this, install IPA without a CA and copy /etc/httpd/alias/*.db to ~/.ipa/alias and /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd
2009-12-01 17:25:50 -05:00
# Now clean things up
api.Command['host_del'](self.host_fqdn)
Fix the cert plugin tests These tests rely on the existence of a backend CA. It is easiest to test with a self-signed CA in ~/.ipa so that is what I documented. These tests are skipped if no CA is available. Improved robustness a bit by putting the cleanup as a separate test.
2010-01-28 16:11:01 -05:00
Add test to ensure that a certificate we issue is actually stored properly.
2010-07-12 17:15:58 -04:00
# Verify that the service is gone
res = api.Command['service_find'](self.service_princ)
assert res['count'] == 0
Reference in New Issue Copy Permalink