ipatests: test software HSM installation with server & replica

Use SoftHSM2 to install an IPA CA to store the keys in an HSM.

Whenenver new keys are generated either in the initial install
or if a KRA is installed then the token needs to be synced
between all servers prior to installing a new CA or KRA.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

ipatests/pytest_ipa/integration/config.py

@@ -44,6 +44,9 @@ class Config(pytest_multihost.config.Config):
         'domain_level',
         'log_journal_since',
         'fips_mode',
+        'token_name',
+        'token_password',
+        'token_library',
     }
 
     def __init__(self, **kwargs):
@@ -69,6 +72,9 @@ class Config(pytest_multihost.config.Config):
         if self.domain_level is None:
             self.domain_level = MAX_DOMAIN_LEVEL
         self.fips_mode = kwargs.get('fips_mode', False)
+        self.token_name = kwargs.get('token_name', None)
+        self.token_password = kwargs.get('token_password', None)
+        self.token_library = kwargs.get('token_library', None)
 
     def get_domain_class(self):
         return Domain

ipatests/pytest_ipa/integration/tasks.py

@@ -432,11 +432,23 @@ def master_authoritative_for_client_domain(master, client):
     return result.returncode == 0
 
 
+def copy_nfast_data(src_host, dest_host):
+    src_host.run_command(
+        ['tar', '-cf', '/root/token_files.tar', '.'],
+        cwd='/opt/nfast/kmdata/local/'
+    )
+    tarball = src_host.get_file_contents('/root/token_files.tar')
+    dest_host.put_file_contents('/root/token_files.tar', tarball)
+    dest_host.run_command(
+        ['tar', '-xf', '/root/token_files.tar',
+         '-C', '/opt/nfast/kmdata/local']
+    )
+
+
 def install_replica(master, replica, setup_ca=True, setup_dns=False,
                     setup_kra=False, setup_adtrust=False, extra_args=(),
                     domain_level=None, unattended=True, stdin_text=None,
-                    raiseonerr=True, promote=True, nameservers='master',
-                    token_password=None):
+                    raiseonerr=True, promote=True, nameservers='master'):
     """
     This task installs client and then promote it to the replica
 
@@ -509,8 +521,6 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
             enable_crypto_subpolicy(replica, "AD-SUPPORT")
     if master_authoritative_for_client_domain(master, replica):
         args.extend(['--ip-address', replica.ip])
-    if token_password:
-        args.extend(['--token-password', token_password])
 
     args.extend(replica_args)  # append extra arguments to installation
 
@@ -1427,7 +1437,7 @@ def double_circle_topo(master, replicas, site_size=6):
 def install_topo(topo, master, replicas, clients, domain_level=None,
                  skip_master=False, setup_replica_cas=True,
                  setup_replica_kras=False, clients_extra_args=(),
-                 random_serial=False, token_password=None):
+                 random_serial=False, extra_args=()):
     """Install IPA servers and clients in the given topology"""
     if setup_replica_kras and not setup_replica_cas:
         raise ValueError("Option 'setup_replica_kras' requires "
@@ -1455,7 +1465,7 @@ def install_topo(topo, master, replicas, clients, domain_level=None,
                 setup_ca=setup_replica_cas,
                 setup_kra=setup_replica_kras,
                 nameservers=master.ip,
-                token_password=token_password
+                extra_args=extra_args,
             )
         installed.add(child)
     install_clients([master] + replicas, clients, clients_extra_args)
@@ -1688,14 +1698,15 @@ def ipa_restore(master, backup_path, backend=None):
 
 
 def install_kra(host, domain_level=None,
-                first_instance=False, token_password=None,
-                raiseonerr=True):
+                first_instance=False, raiseonerr=True,
+                extra_args=(),):
     if domain_level is None:
         domain_level = domainlevel(host)
     check_domain_level(domain_level)
     command = ["ipa-kra-install", "-U", "-p", host.config.dirman_password]
-    if token_password:
-        command.extend(['--token-password', token_password])
+    if not isinstance(extra_args, (tuple, list)):
+        raise TypeError("extra_args must be tuple or list")
+    command.extend(extra_args)
     result = host.run_command(command, raiseonerr=raiseonerr)
     return result
 
@@ -1703,7 +1714,7 @@ def install_kra(host, domain_level=None,
 def install_ca(
         host, domain_level=None, first_instance=False, external_ca=False,
         cert_files=None, raiseonerr=True, extra_args=(),
-        random_serial=False, token_password=None,
+        random_serial=False,
 ):
     if domain_level is None:
         domain_level = domainlevel(host)
@@ -1712,8 +1723,6 @@ def install_ca(
                "-P", 'admin', "-w", host.config.admin_password]
     if random_serial:
         command.append('--random-serial-numbers')
-    if token_password:
-        command.extend(['--token-password', token_password])
     if not isinstance(extra_args, (tuple, list)):
         raise TypeError("extra_args must be tuple or list")
     command.extend(extra_args)

ipatests/test_integration/base.py

@@ -74,6 +74,7 @@ class IntegrationTest:
 
     @classmethod
     def install(cls, mh):
+        extra_args = []
         if cls.domain_level is not None:
             domain_level = cls.domain_level
         else:
@@ -87,11 +88,13 @@ class IntegrationTest:
         if cls.topology is None:
             return
         else:
+            if cls.token_password:
+                extra_args.extend(('--token-password', cls.token_password,))
             tasks.install_topo(cls.topology,
                                cls.master, cls.replicas,
                                cls.clients, domain_level,
                                random_serial=cls.random_serial,
-                               token_password=cls.token_password)
+                               extra_args=extra_args,)
     @classmethod
     def uninstall(cls, mh):
         for replica in cls.replicas: