ipatests: test software HSM installation with server & replica

Use SoftHSM2 to install an IPA CA to store the keys in an HSM.

Whenenver new keys are generated either in the initial install
or if a KRA is installed then the token needs to be synced
between all servers prior to installing a new CA or KRA.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Mohammad Rizwan 2022-12-29 14:55:18 +05:30 committed by Rob Crittenden
parent 06a8791b9b
commit 36dbc6b025
5 changed files with 1146 additions and 7 deletions

View File

@ -435,7 +435,8 @@ def master_authoritative_for_client_domain(master, client):
def install_replica(master, replica, setup_ca=True, setup_dns=False,
setup_kra=False, setup_adtrust=False, extra_args=(),
domain_level=None, unattended=True, stdin_text=None,
raiseonerr=True, promote=True, nameservers='master'):
raiseonerr=True, promote=True, nameservers='master',
token_password=None):
"""
This task installs client and then promote it to the replica
@ -508,6 +509,8 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
enable_crypto_subpolicy(replica, "AD-SUPPORT")
if master_authoritative_for_client_domain(master, replica):
args.extend(['--ip-address', replica.ip])
if token_password:
args.extend(['--token-password', token_password])
args.extend(replica_args) # append extra arguments to installation
@ -1424,7 +1427,7 @@ def double_circle_topo(master, replicas, site_size=6):
def install_topo(topo, master, replicas, clients, domain_level=None,
skip_master=False, setup_replica_cas=True,
setup_replica_kras=False, clients_extra_args=(),
random_serial=False):
random_serial=False, token_password=None):
"""Install IPA servers and clients in the given topology"""
if setup_replica_kras and not setup_replica_cas:
raise ValueError("Option 'setup_replica_kras' requires "
@ -1452,6 +1455,7 @@ def install_topo(topo, master, replicas, clients, domain_level=None,
setup_ca=setup_replica_cas,
setup_kra=setup_replica_kras,
nameservers=master.ip,
token_password=token_password
)
installed.add(child)
install_clients([master] + replicas, clients, clients_extra_args)
@ -1684,11 +1688,14 @@ def ipa_restore(master, backup_path, backend=None):
def install_kra(host, domain_level=None,
first_instance=False, raiseonerr=True):
first_instance=False, token_password=None,
raiseonerr=True):
if domain_level is None:
domain_level = domainlevel(host)
check_domain_level(domain_level)
command = ["ipa-kra-install", "-U", "-p", host.config.dirman_password]
if token_password:
command.extend(['--token-password', token_password])
result = host.run_command(command, raiseonerr=raiseonerr)
return result
@ -1696,7 +1703,7 @@ def install_kra(host, domain_level=None,
def install_ca(
host, domain_level=None, first_instance=False, external_ca=False,
cert_files=None, raiseonerr=True, extra_args=(),
random_serial=False,
random_serial=False, token_password=None,
):
if domain_level is None:
domain_level = domainlevel(host)
@ -1705,6 +1712,8 @@ def install_ca(
"-P", 'admin', "-w", host.config.admin_password]
if random_serial:
command.append('--random-serial-numbers')
if token_password:
command.extend(['--token-password', token_password])
if not isinstance(extra_args, (tuple, list)):
raise TypeError("extra_args must be tuple or list")
command.extend(extra_args)

View File

@ -40,6 +40,7 @@ class IntegrationTest:
domain_level = None
fips_mode = None
random_serial = False
token_password = None
@classmethod
def host_by_role(cls, role):
@ -89,7 +90,8 @@ class IntegrationTest:
tasks.install_topo(cls.topology,
cls.master, cls.replicas,
cls.clients, domain_level,
random_serial=cls.random_serial)
random_serial=cls.random_serial,
token_password=cls.token_password)
@classmethod
def uninstall(cls, mh):
for replica in cls.replicas:

View File

@ -184,7 +184,7 @@ class CALessBase(IntegrationTest):
http_pin=_DEFAULT, dirsrv_pin=_DEFAULT, pkinit_pin=None,
root_ca_file='root.pem', pkinit_pkcs12_exists=False,
pkinit_pkcs12='server-kdc.p12', unattended=True,
stdin_text=None, extra_args=None):
stdin_text=None, extra_args=[]):
"""Install a CA-less server
Return value is the remote ipa-server-install command

View File

@ -81,6 +81,7 @@ def install_server_external_ca_step1(host, extra_args=(), raiseonerr=True):
def install_server_external_ca_step2(host, ipa_ca_cert, root_ca_cert,
extra_args=(),
raiseonerr=True):
"""Step 2 to install the ipa server with external ca"""
args = ['ipa-server-install', '-U', '-r', host.domain.realm,
@ -88,7 +89,7 @@ def install_server_external_ca_step2(host, ipa_ca_cert, root_ca_cert,
'-p', host.config.dirman_password,
'--external-cert-file', ipa_ca_cert,
'--external-cert-file', root_ca_cert]
args.extend(extra_args)
cmd = host.run_command(args, raiseonerr=raiseonerr)
return cmd

File diff suppressed because it is too large Load Diff