mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
ipatests: test software HSM installation with server & replica
Use SoftHSM2 to install an IPA CA to store the keys in an HSM. Whenenver new keys are generated either in the initial install or if a KRA is installed then the token needs to be synced between all servers prior to installing a new CA or KRA. Fixes: https://pagure.io/freeipa/issue/9273 Signed-off-by: Mohammad Rizwan <myusuf@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
parent
06a8791b9b
commit
36dbc6b025
@ -435,7 +435,8 @@ def master_authoritative_for_client_domain(master, client):
|
||||
def install_replica(master, replica, setup_ca=True, setup_dns=False,
|
||||
setup_kra=False, setup_adtrust=False, extra_args=(),
|
||||
domain_level=None, unattended=True, stdin_text=None,
|
||||
raiseonerr=True, promote=True, nameservers='master'):
|
||||
raiseonerr=True, promote=True, nameservers='master',
|
||||
token_password=None):
|
||||
"""
|
||||
This task installs client and then promote it to the replica
|
||||
|
||||
@ -508,6 +509,8 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
|
||||
enable_crypto_subpolicy(replica, "AD-SUPPORT")
|
||||
if master_authoritative_for_client_domain(master, replica):
|
||||
args.extend(['--ip-address', replica.ip])
|
||||
if token_password:
|
||||
args.extend(['--token-password', token_password])
|
||||
|
||||
args.extend(replica_args) # append extra arguments to installation
|
||||
|
||||
@ -1424,7 +1427,7 @@ def double_circle_topo(master, replicas, site_size=6):
|
||||
def install_topo(topo, master, replicas, clients, domain_level=None,
|
||||
skip_master=False, setup_replica_cas=True,
|
||||
setup_replica_kras=False, clients_extra_args=(),
|
||||
random_serial=False):
|
||||
random_serial=False, token_password=None):
|
||||
"""Install IPA servers and clients in the given topology"""
|
||||
if setup_replica_kras and not setup_replica_cas:
|
||||
raise ValueError("Option 'setup_replica_kras' requires "
|
||||
@ -1452,6 +1455,7 @@ def install_topo(topo, master, replicas, clients, domain_level=None,
|
||||
setup_ca=setup_replica_cas,
|
||||
setup_kra=setup_replica_kras,
|
||||
nameservers=master.ip,
|
||||
token_password=token_password
|
||||
)
|
||||
installed.add(child)
|
||||
install_clients([master] + replicas, clients, clients_extra_args)
|
||||
@ -1684,11 +1688,14 @@ def ipa_restore(master, backup_path, backend=None):
|
||||
|
||||
|
||||
def install_kra(host, domain_level=None,
|
||||
first_instance=False, raiseonerr=True):
|
||||
first_instance=False, token_password=None,
|
||||
raiseonerr=True):
|
||||
if domain_level is None:
|
||||
domain_level = domainlevel(host)
|
||||
check_domain_level(domain_level)
|
||||
command = ["ipa-kra-install", "-U", "-p", host.config.dirman_password]
|
||||
if token_password:
|
||||
command.extend(['--token-password', token_password])
|
||||
result = host.run_command(command, raiseonerr=raiseonerr)
|
||||
return result
|
||||
|
||||
@ -1696,7 +1703,7 @@ def install_kra(host, domain_level=None,
|
||||
def install_ca(
|
||||
host, domain_level=None, first_instance=False, external_ca=False,
|
||||
cert_files=None, raiseonerr=True, extra_args=(),
|
||||
random_serial=False,
|
||||
random_serial=False, token_password=None,
|
||||
):
|
||||
if domain_level is None:
|
||||
domain_level = domainlevel(host)
|
||||
@ -1705,6 +1712,8 @@ def install_ca(
|
||||
"-P", 'admin', "-w", host.config.admin_password]
|
||||
if random_serial:
|
||||
command.append('--random-serial-numbers')
|
||||
if token_password:
|
||||
command.extend(['--token-password', token_password])
|
||||
if not isinstance(extra_args, (tuple, list)):
|
||||
raise TypeError("extra_args must be tuple or list")
|
||||
command.extend(extra_args)
|
||||
|
@ -40,6 +40,7 @@ class IntegrationTest:
|
||||
domain_level = None
|
||||
fips_mode = None
|
||||
random_serial = False
|
||||
token_password = None
|
||||
|
||||
@classmethod
|
||||
def host_by_role(cls, role):
|
||||
@ -89,7 +90,8 @@ class IntegrationTest:
|
||||
tasks.install_topo(cls.topology,
|
||||
cls.master, cls.replicas,
|
||||
cls.clients, domain_level,
|
||||
random_serial=cls.random_serial)
|
||||
random_serial=cls.random_serial,
|
||||
token_password=cls.token_password)
|
||||
@classmethod
|
||||
def uninstall(cls, mh):
|
||||
for replica in cls.replicas:
|
||||
|
@ -184,7 +184,7 @@ class CALessBase(IntegrationTest):
|
||||
http_pin=_DEFAULT, dirsrv_pin=_DEFAULT, pkinit_pin=None,
|
||||
root_ca_file='root.pem', pkinit_pkcs12_exists=False,
|
||||
pkinit_pkcs12='server-kdc.p12', unattended=True,
|
||||
stdin_text=None, extra_args=None):
|
||||
stdin_text=None, extra_args=[]):
|
||||
"""Install a CA-less server
|
||||
|
||||
Return value is the remote ipa-server-install command
|
||||
|
@ -81,6 +81,7 @@ def install_server_external_ca_step1(host, extra_args=(), raiseonerr=True):
|
||||
|
||||
|
||||
def install_server_external_ca_step2(host, ipa_ca_cert, root_ca_cert,
|
||||
extra_args=(),
|
||||
raiseonerr=True):
|
||||
"""Step 2 to install the ipa server with external ca"""
|
||||
args = ['ipa-server-install', '-U', '-r', host.domain.realm,
|
||||
@ -88,7 +89,7 @@ def install_server_external_ca_step2(host, ipa_ca_cert, root_ca_cert,
|
||||
'-p', host.config.dirman_password,
|
||||
'--external-cert-file', ipa_ca_cert,
|
||||
'--external-cert-file', root_ca_cert]
|
||||
|
||||
args.extend(extra_args)
|
||||
cmd = host.run_command(args, raiseonerr=raiseonerr)
|
||||
return cmd
|
||||
|
||||
|
1127
ipatests/test_integration/test_hsm.py
Normal file
1127
ipatests/test_integration/test_hsm.py
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user