freeipa/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py

# -*- coding: utf-8 -*-
#
# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
#

import os
import pytest
import tempfile

import six

from ipalib import api, errors
from ipatests.util import (
    prepare_config, unlock_principal_password, change_principal)
from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
from ipatests.test_xmlrpc.tracker.certprofile_plugin import CertprofileTracker
from ipatests.test_xmlrpc.tracker.caacl_plugin import CAACLTracker
from ipatests.test_xmlrpc.tracker.ca_plugin import CATracker

from ipapython.ipautil import run

if six.PY3:
    unicode = str

BASE_DIR = os.path.dirname(__file__)

SMIME_PROFILE_TEMPLATE = os.path.join(BASE_DIR, 'data/smime.cfg.tmpl')
SMIME_MOD_CONSTR_PROFILE_TEMPLATE = os.path.join(BASE_DIR, 'data/smime-mod.cfg.tmpl')
CERT_OPENSSL_CONFIG_TEMPLATE = os.path.join(BASE_DIR, 'data/usercert.conf.tmpl')
CERT_RSA_PRIVATE_KEY_PATH = os.path.join(BASE_DIR, 'data/usercert-priv-key.pem')


SMIME_USER_INIT_PW = u'Change123'
SMIME_USER_PW = u'Secret123'


def generate_user_csr(username, domain=None):
    csr_values = dict(
        ipadomain=domain if domain else api.env.domain,
        username=username)

    with tempfile.NamedTemporaryFile(mode='w') as csr_file:
        run(['openssl', 'req', '-new', '-key', CERT_RSA_PRIVATE_KEY_PATH,
             '-out', csr_file.name,
             '-config', prepare_config(
                 CERT_OPENSSL_CONFIG_TEMPLATE, csr_values)])

        with open(csr_file.name, 'r') as f:
            csr = unicode(f.read())

    return csr


@pytest.fixture(scope='class')
def smime_profile(request):
    profile_path = prepare_config(
            SMIME_PROFILE_TEMPLATE,
            dict(ipadomain=api.env.domain, iparealm=api.env.realm))

    tracker = CertprofileTracker(u'smime', store=True,
                                 desc=u"S/MIME certificate profile",
                                 profile=profile_path)

    return tracker.make_fixture(request)


@pytest.fixture(scope='class')
def smime_acl(request):
    tracker = CAACLTracker(u'smime_acl')

    return tracker.make_fixture(request)


# TODO: rewrite these into Tracker instances
# UserTracker has problems while setting passwords.
# Until fixed, will use this fixture.
@pytest.fixture(scope='class')
def smime_user(request):
    username = u'alice'
    api.Command.user_add(uid=username, givenname=u'Alice', sn=u'SMIME',
                         userpassword=SMIME_USER_INIT_PW)

    unlock_principal_password(username, SMIME_USER_INIT_PW, SMIME_USER_PW)

    def fin():
        api.Command.user_del(username)
    request.addfinalizer(fin)

    return username


@pytest.fixture(scope='class')
def smime_group(request):
    api.Command.group_add(u'smime_users')

    def fin():
        api.Command.group_del(u'smime_users')
    request.addfinalizer(fin)

    return u'smime_users'


@pytest.mark.tier1
class TestCertSignMIME(XMLRPC_test):

    def test_cert_import(self, smime_profile):
        smime_profile.ensure_exists()

    def test_create_acl(self, smime_acl):
        smime_acl.ensure_exists()

    def test_add_profile_to_acl(self, smime_acl, smime_profile):
        smime_acl.add_profile(certprofile=smime_profile.name)

    # rewrite to trackers, prepare elsewhere
    def test_add_user_to_group(self, smime_group, smime_user):
        api.Command.group_add_member(smime_group, user=smime_user)

    def test_add_group_to_acl(self, smime_group, smime_acl):
        smime_acl.add_user(group=smime_group)

    def test_sign_smime_csr(self, smime_profile, smime_user):
        csr = generate_user_csr(smime_user)
        with change_principal(smime_user, SMIME_USER_PW):
            api.Command.cert_request(csr, principal=smime_user,
                                     profile_id=smime_profile.name)

    def test_sign_smime_csr_full_principal(self, smime_profile, smime_user):
        csr = generate_user_csr(smime_user)
        smime_user_principal = '@'.join((smime_user, api.env.realm))
        with change_principal(smime_user, SMIME_USER_PW):
            api.Command.cert_request(csr, principal=smime_user_principal,
                                     profile_id=smime_profile.name)


@pytest.mark.tier1
class TestSignWithDisabledACL(XMLRPC_test):

    def test_import_profile_and_acl(self, smime_profile, smime_acl):
        smime_profile.ensure_exists()
        smime_acl.ensure_missing()
        smime_acl.ensure_exists()

    def test_add_profile_to_acl(self, smime_acl, smime_profile):
        smime_acl.add_profile(certprofile=smime_profile.name)

    # rewrite to trackers, prepare elsewhere
    def test_add_user_to_group(self, smime_group, smime_user):
        api.Command.group_add_member(smime_group, user=smime_user)

    def test_add_group_to_acl(self, smime_group, smime_acl):
        smime_acl.add_user(group=smime_group)

    def test_disable_acl(self, smime_acl):
        smime_acl.disable()

    def test_signing_with_disabled_acl(self, smime_acl, smime_profile,
                                       smime_user):
        csr = generate_user_csr(smime_user)
        with change_principal(smime_user, SMIME_USER_PW):
            with pytest.raises(errors.ACIError):
                api.Command.cert_request(
                    csr, profile_id=smime_profile.name,
                    principal=smime_user)

    def test_admin_overrides_disabled_acl(self, smime_acl, smime_profile,
                                          smime_user):
        csr = generate_user_csr(smime_user)
        api.Command.cert_request(
            csr, profile_id=smime_profile.name,
            principal=smime_user)


@pytest.mark.tier1
class TestSignWithoutGroupMembership(XMLRPC_test):

    def test_import_profile_and_acl(self, smime_profile, smime_acl):
        smime_profile.ensure_exists()
        smime_acl.ensure_missing()
        smime_acl.ensure_exists()

    def test_add_profile_to_acl(self, smime_acl, smime_profile):
        smime_acl.add_profile(certprofile=smime_profile.name)

    def test_add_group_to_acl(self, smime_group, smime_acl, smime_user):
        # smime user should not be a member of this group
        #
        # adding smime_user fixture to ensure it exists
        smime_acl.add_user(group=smime_group)

    def test_signing_with_non_member_principal(self, smime_acl, smime_profile,
                                               smime_user):

        csr = generate_user_csr(smime_user)
        with change_principal(smime_user, SMIME_USER_PW):
            with pytest.raises(errors.ACIError):
                api.Command.cert_request(
                    csr,
                    profile_id=smime_profile.name,
                    principal=smime_user)

    def test_admin_overrides_group_membership(self, smime_acl, smime_profile,
                                              smime_user):
        csr = generate_user_csr(smime_user)
        api.Command.cert_request(
            csr, profile_id=smime_profile.name,
            principal=smime_user)


@pytest.mark.tier1
class TestSignWithChangedProfile(XMLRPC_test):
    """ Test to verify that the updated profile is used.

    The profile change requires different CN in CSR
    than the one configured. This leads to rejection
    based on not meeting the profile constraints.
    """

    def test_prepare_env(self, smime_profile, smime_acl):
        smime_profile.ensure_exists()
        smime_acl.ensure_exists()

        smime_acl.add_profile(certprofile=smime_profile.name)

    def test_prepare_user_and_group(self, smime_group, smime_user, smime_acl):
        api.Command.group_add_member(smime_group, user=smime_user)
        smime_acl.add_user(group=smime_group)

    def test_modify_smime_profile(self, smime_profile):
        updated_profile_path = prepare_config(SMIME_MOD_CONSTR_PROFILE_TEMPLATE,
                                              dict(
                                                   ipadomain=api.env.domain,
                                                   iparealm=api.env.realm))

        with open(updated_profile_path) as f:
            updated_profile = unicode(f.read())

        updates = {u'file': updated_profile}
        update_smime_profile = smime_profile.make_update_command(updates)
        update_smime_profile()

    def test_sign_smime_csr(self, smime_profile, smime_user):
        csr = generate_user_csr(smime_user)
        with change_principal(smime_user, SMIME_USER_PW):
            with pytest.raises(errors.CertificateOperationError):
                api.Command.cert_request(csr, principal=smime_user,
                                         profile_id=smime_profile.name)


@pytest.fixture(scope='class')
def smime_signing_ca(request):
    name = u'smime-signing-ca'
    subject = u'CN=SMIME CA,O=test industries Inc.'
    return CATracker(name, subject).make_fixture(request)


@pytest.mark.tier1
class TestCertSignMIMEwithSubCA(XMLRPC_test):
    """ Test Certificate Signing with Sub CA

    The test covers following areas:

     * signing a CSR with custom certificate profile
       using a designated Sub CA
     * Verify that the Issuer of the signed certificate
       is the reqested CA
     * Verify that when not set, cert-request uses the default CA.
       This it verified by violating an ACL
     * Verify that when not set, cert-request uses the default
       certificate profile.

    The latter two test cases are implemented in this module
    as not to replicate the fixtures to cert plugin test module.
    """

    def test_cert_import(self, smime_profile):
        smime_profile.ensure_exists()

    def test_create_acl(self, smime_acl):
        smime_acl.ensure_exists()

    def test_create_subca(self, smime_signing_ca):
        smime_signing_ca.ensure_exists()

    def test_add_profile_to_acl(self, smime_acl, smime_profile):
        smime_acl.add_profile(certprofile=smime_profile.name)

    def test_add_subca_to_acl(self, smime_acl, smime_signing_ca):
        smime_acl.add_ca(smime_signing_ca.name)

    # rewrite to trackers, prepare elsewhere
    def test_add_user_to_group(self, smime_group, smime_user):
        api.Command.group_add_member(smime_group, user=smime_user)

    def test_add_group_to_acl(self, smime_group, smime_acl):
        smime_acl.add_user(group=smime_group)

    def test_sign_smime_csr(self, smime_profile, smime_user, smime_signing_ca):
        csr = generate_user_csr(smime_user)
        with change_principal(smime_user, SMIME_USER_PW):
            api.Command.cert_request(csr, principal=smime_user,
                                     profile_id=smime_profile.name,
                                     cacn=smime_signing_ca.name)

    def test_sign_smime_csr_full_principal(
            self, smime_profile, smime_user, smime_signing_ca):
        csr = generate_user_csr(smime_user)
        smime_user_principal = '@'.join((smime_user, api.env.realm))
        with change_principal(smime_user, SMIME_USER_PW):
            api.Command.cert_request(csr, principal=smime_user_principal,
                                     profile_id=smime_profile.name,
                                     cacn=smime_signing_ca.name)

    def test_verify_cert_issuer_dn_is_subca(
            self, smime_profile, smime_user, smime_signing_ca):
        csr = generate_user_csr(smime_user)
        smime_user_principal = '@'.join((smime_user, api.env.realm))
        with change_principal(smime_user, SMIME_USER_PW):
            cert_info = api.Command.cert_request(
                csr, principal=smime_user_principal,
                profile_id=smime_profile.name, cacn=smime_signing_ca.name)

        assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn

    def test_sign_smime_csr_fallback_to_default_CA(
            self, smime_profile, smime_user, smime_signing_ca):
        """ Attempt to sign a CSR without CA specified.

        The request will satisfy SMIME_ACL via the profile ID,
        however not specifying the CA will fallback to the IPA CA
        for which SMIME profile isn't enabled, thus violating ACL.
        """
        csr = generate_user_csr(smime_user)
        smime_user_principal = '@'.join((smime_user, api.env.realm))

        with pytest.raises(errors.ACIError):
            with change_principal(smime_user, SMIME_USER_PW):
                api.Command.cert_request(csr, principal=smime_user_principal,
                                         profile_id=smime_profile.name)

    def test_sign_smime_csr_fallback_to_default_cert_profile(
            self, smime_profile, smime_user, smime_signing_ca):
        """ Attempt to sign a CSR without certificate profile specified.

        Similar to previous test case.
        By specifying only the CA to use, profile will fallback to
        the default caIPAserviceCert profile which is not enabled
        via ACL to be used with the CA, thus failing the request.
        """
        csr = generate_user_csr(smime_user)
        smime_user_principal = '@'.join((smime_user, api.env.realm))

        with pytest.raises(errors.ACIError):
            with change_principal(smime_user, SMIME_USER_PW):
                api.Command.cert_request(csr, principal=smime_user_principal,
                                         cacn=smime_signing_ca.name)
ipatests: CA ACL and cert profile functional test https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 2015-09-22 08:22:25 -05:00			`# -- coding: utf-8 --`
			`#`
			`# Copyright (C) 2015 FreeIPA Contributors see COPYING for license`
			`#`

			`import os`
			`import pytest`
			`import tempfile`

Alias "unicode" to "str" under Python 3 Follow-up to commit 23507e6124041ed17f39db211e802495e37520e7 The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. https://fedorahosted.org/freeipa/ticket/5623 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 2016-01-05 06:54:43 -06:00			`import six`

ipatests: CA ACL and cert profile functional test https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 2015-09-22 08:22:25 -05:00			`from ipalib import api, errors`
			`from ipatests.util import (`
			`prepare_config, unlock_principal_password, change_principal)`
			`from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test`
Separated Tracker implementations into standalone package The previous way of implementing trackers in the module with the test caused circular imports. The separate package resolves this issue. https://fedorahosted.org/freeipa/ticket/5467 Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com> 2015-11-19 09:07:29 -06:00			`from ipatests.test_xmlrpc.tracker.certprofile_plugin import CertprofileTracker`
			`from ipatests.test_xmlrpc.tracker.caacl_plugin import CAACLTracker`
ipatests: Test Sub CA with CAACL and certificate profile Test the Sub CA feature by signing a CSR with custom certificate profile. The test also covers 'cert-request' fallback behaviour for missing 'cacn' and 'profile-id' options by reusing the fixtures from the module. https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 2016-06-21 08:57:58 -05:00			`from ipatests.test_xmlrpc.tracker.ca_plugin import CATracker`
ipatests: CA ACL and cert profile functional test https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 2015-09-22 08:22:25 -05:00
			`from ipapython.ipautil import run`

Alias "unicode" to "str" under Python 3 Follow-up to commit 23507e6124041ed17f39db211e802495e37520e7 The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. https://fedorahosted.org/freeipa/ticket/5623 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 2016-01-05 06:54:43 -06:00			`if six.PY3:`
			`unicode = str`

ipatests: CA ACL and cert profile functional test https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 2015-09-22 08:22:25 -05:00			`BASE_DIR = os.path.dirname(__file__)`

			`SMIME_PROFILE_TEMPLATE = os.path.join(BASE_DIR, 'data/smime.cfg.tmpl')`
			`SMIME_MOD_CONSTR_PROFILE_TEMPLATE = os.path.join(BASE_DIR, 'data/smime-mod.cfg.tmpl')`
			`CERT_OPENSSL_CONFIG_TEMPLATE = os.path.join(BASE_DIR, 'data/usercert.conf.tmpl')`
			`CERT_RSA_PRIVATE_KEY_PATH = os.path.join(BASE_DIR, 'data/usercert-priv-key.pem')`


			`SMIME_USER_INIT_PW = u'Change123'`
			`SMIME_USER_PW = u'Secret123'`


			`def generate_user_csr(username, domain=None):`
			`csr_values = dict(`
			`ipadomain=domain if domain else api.env.domain,`
			`username=username)`

			`with tempfile.NamedTemporaryFile(mode='w') as csr_file:`
			`run(['openssl', 'req', '-new', '-key', CERT_RSA_PRIVATE_KEY_PATH,`
			`'-out', csr_file.name,`
			`'-config', prepare_config(`
			`CERT_OPENSSL_CONFIG_TEMPLATE, csr_values)])`

			`with open(csr_file.name, 'r') as f:`
			`csr = unicode(f.read())`

			`return csr`


			`@pytest.fixture(scope='class')`
			`def smime_profile(request):`
			`profile_path = prepare_config(`
			`SMIME_PROFILE_TEMPLATE,`
			`dict(ipadomain=api.env.domain, iparealm=api.env.realm))`

			`tracker = CertprofileTracker(u'smime', store=True,`
			`desc=u"S/MIME certificate profile",`
			`profile=profile_path)`

			`return tracker.make_fixture(request)`


			`@pytest.fixture(scope='class')`
			`def smime_acl(request):`
			`tracker = CAACLTracker(u'smime_acl')`

			`return tracker.make_fixture(request)`


			`# TODO: rewrite these into Tracker instances`
			`# UserTracker has problems while setting passwords.`
			`# Until fixed, will use this fixture.`
			`@pytest.fixture(scope='class')`
			`def smime_user(request):`
			`username = u'alice'`
			`api.Command.user_add(uid=username, givenname=u'Alice', sn=u'SMIME',`
			`userpassword=SMIME_USER_INIT_PW)`

			`unlock_principal_password(username, SMIME_USER_INIT_PW, SMIME_USER_PW)`

			`def fin():`
			`api.Command.user_del(username)`
			`request.addfinalizer(fin)`

			`return username`


			`@pytest.fixture(scope='class')`
			`def smime_group(request):`
			`api.Command.group_add(u'smime_users')`

			`def fin():`
			`api.Command.group_del(u'smime_users')`
			`request.addfinalizer(fin)`

			`return u'smime_users'`


Applied tier0 and tier1 marks on unit tests and xmlrpc tests Web UI tests were marked as tier1 tests. The tier system is intended to be used together with CI system to make sure the more complicated tests are being run only when all of the basic functionality is working. The system is using pytest's marker system. E.g. an invocation of all tier1 tests with listing will look like: $ py.test -v -m tier1 ipatests or in case of out of tree tests: $ ipa-run-tests -m tier1 Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com> 2015-04-24 07:39:48 -05:00			`@pytest.mark.tier1`
ipatests: CA ACL and cert profile functional test https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 2015-09-22 08:22:25 -05:00			`class TestCertSignMIME(XMLRPC_test):`

			`def test_cert_import(self, smime_profile):`
			`smime_profile.ensure_exists()`

			`def test_create_acl(self, smime_acl):`
			`smime_acl.ensure_exists()`

			`def test_add_profile_to_acl(self, smime_acl, smime_profile):`
			`smime_acl.add_profile(certprofile=smime_profile.name)`

			`# rewrite to trackers, prepare elsewhere`
			`def test_add_user_to_group(self, smime_group, smime_user):`
			`api.Command.group_add_member(smime_group, user=smime_user)`

			`def test_add_group_to_acl(self, smime_group, smime_acl):`
			`smime_acl.add_user(group=smime_group)`

			`def test_sign_smime_csr(self, smime_profile, smime_user):`
			`csr = generate_user_csr(smime_user)`
			`with change_principal(smime_user, SMIME_USER_PW):`
			`api.Command.cert_request(csr, principal=smime_user,`
			`profile_id=smime_profile.name)`

ipatests: Add test case for requesting a certificate with full principal. https://fedorahosted.org/freeipa/ticket/5733 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 2016-04-05 03:04:03 -05:00			`def test_sign_smime_csr_full_principal(self, smime_profile, smime_user):`
			`csr = generate_user_csr(smime_user)`
			`smime_user_principal = '@'.join((smime_user, api.env.realm))`
			`with change_principal(smime_user, SMIME_USER_PW):`
			`api.Command.cert_request(csr, principal=smime_user_principal,`
			`profile_id=smime_profile.name)`

ipatests: CA ACL and cert profile functional test https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 2015-09-22 08:22:25 -05:00
Applied tier0 and tier1 marks on unit tests and xmlrpc tests Web UI tests were marked as tier1 tests. The tier system is intended to be used together with CI system to make sure the more complicated tests are being run only when all of the basic functionality is working. The system is using pytest's marker system. E.g. an invocation of all tier1 tests with listing will look like: $ py.test -v -m tier1 ipatests or in case of out of tree tests: $ ipa-run-tests -m tier1 Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com> 2015-04-24 07:39:48 -05:00			`@pytest.mark.tier1`
ipatests: CA ACL and cert profile functional test https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 2015-09-22 08:22:25 -05:00			`class TestSignWithDisabledACL(XMLRPC_test):`

			`def test_import_profile_and_acl(self, smime_profile, smime_acl):`
			`smime_profile.ensure_exists()`
			`smime_acl.ensure_missing()`
			`smime_acl.ensure_exists()`

			`def test_add_profile_to_acl(self, smime_acl, smime_profile):`
			`smime_acl.add_profile(certprofile=smime_profile.name)`

			`# rewrite to trackers, prepare elsewhere`
			`def test_add_user_to_group(self, smime_group, smime_user):`
			`api.Command.group_add_member(smime_group, user=smime_user)`

			`def test_add_group_to_acl(self, smime_group, smime_acl):`
			`smime_acl.add_user(group=smime_group)`

			`def test_disable_acl(self, smime_acl):`
			`smime_acl.disable()`

			`def test_signing_with_disabled_acl(self, smime_acl, smime_profile,`
			`smime_user):`
			`csr = generate_user_csr(smime_user)`
			`with change_principal(smime_user, SMIME_USER_PW):`
			`with pytest.raises(errors.ACIError):`
			`api.Command.cert_request(`
			`csr, profile_id=smime_profile.name,`
			`principal=smime_user)`

			`def test_admin_overrides_disabled_acl(self, smime_acl, smime_profile,`
			`smime_user):`
			`csr = generate_user_csr(smime_user)`
			`api.Command.cert_request(`
			`csr, profile_id=smime_profile.name,`
			`principal=smime_user)`


Applied tier0 and tier1 marks on unit tests and xmlrpc tests Web UI tests were marked as tier1 tests. The tier system is intended to be used together with CI system to make sure the more complicated tests are being run only when all of the basic functionality is working. The system is using pytest's marker system. E.g. an invocation of all tier1 tests with listing will look like: $ py.test -v -m tier1 ipatests or in case of out of tree tests: $ ipa-run-tests -m tier1 Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com> 2015-04-24 07:39:48 -05:00			`@pytest.mark.tier1`
ipatests: CA ACL and cert profile functional test https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 2015-09-22 08:22:25 -05:00			`class TestSignWithoutGroupMembership(XMLRPC_test):`

			`def test_import_profile_and_acl(self, smime_profile, smime_acl):`
			`smime_profile.ensure_exists()`
			`smime_acl.ensure_missing()`
			`smime_acl.ensure_exists()`

			`def test_add_profile_to_acl(self, smime_acl, smime_profile):`
			`smime_acl.add_profile(certprofile=smime_profile.name)`

			`def test_add_group_to_acl(self, smime_group, smime_acl, smime_user):`
			`# smime user should not be a member of this group`
			`#`
			`# adding smime_user fixture to ensure it exists`
			`smime_acl.add_user(group=smime_group)`

			`def test_signing_with_non_member_principal(self, smime_acl, smime_profile,`
			`smime_user):`

			`csr = generate_user_csr(smime_user)`
			`with change_principal(smime_user, SMIME_USER_PW):`
			`with pytest.raises(errors.ACIError):`
			`api.Command.cert_request(`
			`csr,`
			`profile_id=smime_profile.name,`
			`principal=smime_user)`

			`def test_admin_overrides_group_membership(self, smime_acl, smime_profile,`
			`smime_user):`
			`csr = generate_user_csr(smime_user)`
			`api.Command.cert_request(`
			`csr, profile_id=smime_profile.name,`
			`principal=smime_user)`


Applied tier0 and tier1 marks on unit tests and xmlrpc tests Web UI tests were marked as tier1 tests. The tier system is intended to be used together with CI system to make sure the more complicated tests are being run only when all of the basic functionality is working. The system is using pytest's marker system. E.g. an invocation of all tier1 tests with listing will look like: $ py.test -v -m tier1 ipatests or in case of out of tree tests: $ ipa-run-tests -m tier1 Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com> 2015-04-24 07:39:48 -05:00			`@pytest.mark.tier1`
ipatests: CA ACL and cert profile functional test https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 2015-09-22 08:22:25 -05:00			`class TestSignWithChangedProfile(XMLRPC_test):`
			`""" Test to verify that the updated profile is used.`

			`The profile change requires different CN in CSR`
			`than the one configured. This leads to rejection`
			`based on not meeting the profile constraints.`
			`"""`

			`def test_prepare_env(self, smime_profile, smime_acl):`
			`smime_profile.ensure_exists()`
			`smime_acl.ensure_exists()`

			`smime_acl.add_profile(certprofile=smime_profile.name)`

			`def test_prepare_user_and_group(self, smime_group, smime_user, smime_acl):`
			`api.Command.group_add_member(smime_group, user=smime_user)`
			`smime_acl.add_user(group=smime_group)`

			`def test_modify_smime_profile(self, smime_profile):`
			`updated_profile_path = prepare_config(SMIME_MOD_CONSTR_PROFILE_TEMPLATE,`
			`dict(`
			`ipadomain=api.env.domain,`
			`iparealm=api.env.realm))`

			`with open(updated_profile_path) as f:`
			`updated_profile = unicode(f.read())`

			`updates = {u'file': updated_profile}`
			`update_smime_profile = smime_profile.make_update_command(updates)`
			`update_smime_profile()`

			`def test_sign_smime_csr(self, smime_profile, smime_user):`
			`csr = generate_user_csr(smime_user)`
			`with change_principal(smime_user, SMIME_USER_PW):`
			`with pytest.raises(errors.CertificateOperationError):`
			`api.Command.cert_request(csr, principal=smime_user,`
			`profile_id=smime_profile.name)`
ipatests: Test Sub CA with CAACL and certificate profile Test the Sub CA feature by signing a CSR with custom certificate profile. The test also covers 'cert-request' fallback behaviour for missing 'cacn' and 'profile-id' options by reusing the fixtures from the module. https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 2016-06-21 08:57:58 -05:00

			`@pytest.fixture(scope='class')`
			`def smime_signing_ca(request):`
			`name = u'smime-signing-ca'`
			`subject = u'CN=SMIME CA,O=test industries Inc.'`
			`return CATracker(name, subject).make_fixture(request)`


			`@pytest.mark.tier1`
			`class TestCertSignMIMEwithSubCA(XMLRPC_test):`
			`""" Test Certificate Signing with Sub CA`

			`The test covers following areas:`

			`* signing a CSR with custom certificate profile`
			`using a designated Sub CA`
			`* Verify that the Issuer of the signed certificate`
			`is the reqested CA`
			`* Verify that when not set, cert-request uses the default CA.`
			`This it verified by violating an ACL`
			`* Verify that when not set, cert-request uses the default`
			`certificate profile.`

			`The latter two test cases are implemented in this module`
			`as not to replicate the fixtures to cert plugin test module.`
			`"""`

			`def test_cert_import(self, smime_profile):`
			`smime_profile.ensure_exists()`

			`def test_create_acl(self, smime_acl):`
			`smime_acl.ensure_exists()`

			`def test_create_subca(self, smime_signing_ca):`
			`smime_signing_ca.ensure_exists()`

			`def test_add_profile_to_acl(self, smime_acl, smime_profile):`
			`smime_acl.add_profile(certprofile=smime_profile.name)`

			`def test_add_subca_to_acl(self, smime_acl, smime_signing_ca):`
			`smime_acl.add_ca(smime_signing_ca.name)`

			`# rewrite to trackers, prepare elsewhere`
			`def test_add_user_to_group(self, smime_group, smime_user):`
			`api.Command.group_add_member(smime_group, user=smime_user)`

			`def test_add_group_to_acl(self, smime_group, smime_acl):`
			`smime_acl.add_user(group=smime_group)`

			`def test_sign_smime_csr(self, smime_profile, smime_user, smime_signing_ca):`
			`csr = generate_user_csr(smime_user)`
			`with change_principal(smime_user, SMIME_USER_PW):`
			`api.Command.cert_request(csr, principal=smime_user,`
			`profile_id=smime_profile.name,`
			`cacn=smime_signing_ca.name)`

			`def test_sign_smime_csr_full_principal(`
			`self, smime_profile, smime_user, smime_signing_ca):`
			`csr = generate_user_csr(smime_user)`
			`smime_user_principal = '@'.join((smime_user, api.env.realm))`
			`with change_principal(smime_user, SMIME_USER_PW):`
			`api.Command.cert_request(csr, principal=smime_user_principal,`
			`profile_id=smime_profile.name,`
			`cacn=smime_signing_ca.name)`

			`def test_verify_cert_issuer_dn_is_subca(`
			`self, smime_profile, smime_user, smime_signing_ca):`
			`csr = generate_user_csr(smime_user)`
			`smime_user_principal = '@'.join((smime_user, api.env.realm))`
			`with change_principal(smime_user, SMIME_USER_PW):`
			`cert_info = api.Command.cert_request(`
			`csr, principal=smime_user_principal,`
			`profile_id=smime_profile.name, cacn=smime_signing_ca.name)`

			`assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn`

			`def test_sign_smime_csr_fallback_to_default_CA(`
			`self, smime_profile, smime_user, smime_signing_ca):`
			`""" Attempt to sign a CSR without CA specified.`

			`The request will satisfy SMIME_ACL via the profile ID,`
			`however not specifying the CA will fallback to the IPA CA`
			`for which SMIME profile isn't enabled, thus violating ACL.`
			`"""`
			`csr = generate_user_csr(smime_user)`
			`smime_user_principal = '@'.join((smime_user, api.env.realm))`

			`with pytest.raises(errors.ACIError):`
			`with change_principal(smime_user, SMIME_USER_PW):`
			`api.Command.cert_request(csr, principal=smime_user_principal,`
			`profile_id=smime_profile.name)`

			`def test_sign_smime_csr_fallback_to_default_cert_profile(`
			`self, smime_profile, smime_user, smime_signing_ca):`
			`""" Attempt to sign a CSR without certificate profile specified.`

			`Similar to previous test case.`
			`By specifying only the CA to use, profile will fallback to`
			`the default caIPAserviceCert profile which is not enabled`
			`via ACL to be used with the CA, thus failing the request.`
			`"""`
			`csr = generate_user_csr(smime_user)`
			`smime_user_principal = '@'.join((smime_user, api.env.realm))`

			`with pytest.raises(errors.ACIError):`
			`with change_principal(smime_user, SMIME_USER_PW):`
			`api.Command.cert_request(csr, principal=smime_user_principal,`
			`cacn=smime_signing_ca.name)`