diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index a326e1eba..158c2efdb 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -163,9 +163,9 @@ class CALessBase(IntegrationTest): '--forwarder', host.config.dns_forwarder, ] - if http_pin: + if http_pin is not None: args.extend(['--http_pin', http_pin]) - if dirsrv_pin: + if dirsrv_pin is not None: args.extend(['--dirsrv_pin', dirsrv_pin]) if unattended: args.extend(['-U']) @@ -231,9 +231,9 @@ class CALessBase(IntegrationTest): args.extend(['--http_pkcs12', http_pkcs12]) if dirsrv_pkcs12: args.extend(['--dirsrv_pkcs12', dirsrv_pkcs12]) - if http_pin: + if http_pin is not None: args.extend(['--http_pin', http_pin]) - if dirsrv_pin: + if dirsrv_pin is not None: args.extend(['--dirsrv_pin', dirsrv_pin]) args.extend([replica.hostname]) @@ -277,14 +277,16 @@ class CALessBase(IntegrationTest): return replica.run_command(args) @classmethod - def export_pkcs12(cls, nickname, filename='server.p12'): + def export_pkcs12(cls, nickname, filename='server.p12', password=None): """Export a cert as PKCS#12 to the given file""" + if password is None: + password = cls.cert_password ipautil.run(['pk12util', '-o', filename, '-n', nickname, '-d', 'nssdb', '-K', cls.cert_password, - '-W', cls.cert_password], cwd=cls.cert_dir) + '-W', password], cwd=cls.cert_dir) @classmethod def get_pem(cls, nickname): @@ -422,7 +424,7 @@ class TestServerInstall(CALessBase): with open(self.pem_filename, 'w') as f: f.write(self.get_pem('ca1')) - result = self.install_server(http_pin=False) + result = self.install_server(http_pin=None) assert_error(result, 'ipa-server-install: error: You must specify --http_pin ' 'with --http_pkcs12') @@ -434,7 +436,7 @@ class TestServerInstall(CALessBase): with open(self.pem_filename, 'w') as f: f.write(self.get_pem('ca1')) - result = self.install_server(dirsrv_pin=False) + result = self.install_server(dirsrv_pin=None) assert_error(result, 'ipa-server-install: error: You must specify ' '--dirsrv_pin with --dirsrv_pkcs12') @@ -679,7 +681,7 @@ class TestServerInstall(CALessBase): stdin_text = get_install_stdin(cert_passwords=[self.cert_password]) - result = self.install_server(http_pin=False, unattended=False, + result = self.install_server(http_pin=None, unattended=False, stdin_text=stdin_text) assert result.returncode == 0 self.verify_installation() @@ -695,13 +697,41 @@ class TestServerInstall(CALessBase): stdin_text = get_install_stdin(cert_passwords=[self.cert_password]) - result = self.install_server(dirsrv_pin=False, unattended=False, + result = self.install_server(dirsrv_pin=None, unattended=False, stdin_text=stdin_text) assert result.returncode == 0 self.verify_installation() assert ('Enter server.p12 unlock password:' in result.stdout_text), result.stdout_text + def test_no_http_password(self): + "IPA server install with empty HTTP password" + + self.export_pkcs12('ca1/server', filename='http.p12', password='') + self.export_pkcs12('ca1/server', filename='dirsrv.p12') + with open(self.pem_filename, 'w') as f: + f.write(self.get_pem('ca1')) + + result = self.install_server(http_pkcs12='http.p12', + dirsrv_pkcs12='dirsrv.p12', + http_pin='') + assert result.returncode == 0 + self.verify_installation() + + def test_no_ds_password(self): + "IPA server install with empty DS password" + + self.export_pkcs12('ca1/server', filename='http.p12') + self.export_pkcs12('ca1/server', filename='dirsrv.p12', password='') + with open(self.pem_filename, 'w') as f: + f.write(self.get_pem('ca1')) + + result = self.install_server(http_pkcs12='http.p12', + dirsrv_pkcs12='dirsrv.p12', + dirsrv_pin='') + assert result.returncode == 0 + self.verify_installation() + class TestReplicaInstall(CALessBase): num_replicas = 1 @@ -1006,7 +1036,7 @@ class TestReplicaInstall(CALessBase): stdin_text = get_replica_prepare_stdin( cert_passwords=[self.cert_password]) - result = self.prepare_replica(http_pin=False, unattended=False, + result = self.prepare_replica(http_pin=None, unattended=False, stdin_text=stdin_text) assert result.returncode == 0 @@ -1023,7 +1053,7 @@ class TestReplicaInstall(CALessBase): stdin_text = get_replica_prepare_stdin( cert_passwords=[self.cert_password]) - result = self.prepare_replica(dirsrv_pin=False, unattended=False, + result = self.prepare_replica(dirsrv_pin=None, unattended=False, stdin_text=stdin_text) assert result.returncode == 0 @@ -1032,6 +1062,36 @@ class TestReplicaInstall(CALessBase): self.verify_installation() + def test_no_http_password(self): + "IPA replica install with empty HTTP password" + + self.export_pkcs12('ca1/replica', filename='http.p12', password='') + self.export_pkcs12('ca1/replica', filename='dirsrv.p12') + + result = self.prepare_replica(http_pkcs12='http.p12', + dirsrv_pkcs12='dirsrv.p12', + http_pin='') + assert result.returncode == 0 + + result = self.install_replica() + assert result.returncode == 0 + + self.verify_installation() + + def test_no_ds_password(self): + "IPA replica install with empty DS password" + + self.export_pkcs12('ca1/replica', filename='http.p12') + self.export_pkcs12('ca1/replica', filename='dirsrv.p12', password='') + + result = self.prepare_replica(http_pkcs12='http.p12', + dirsrv_pkcs12='dirsrv.p12', + dirsrv_pin='') + assert result.returncode == 0 + + result = self.install_replica() + assert result.returncode == 0 + class TestClientInstall(CALessBase): num_clients = 1 @@ -1174,9 +1234,10 @@ class TestCertinstall(CALessBase): tasks.kinit_admin(cls.master) def certinstall(self, mode, cert_nick=None, cert_exists=True, - filename='server.p12', pin=_DEFAULT, stdin_text=None): + filename='server.p12', pin=_DEFAULT, stdin_text=None, + p12_pin=None): if cert_nick: - self.export_pkcs12(cert_nick) + self.export_pkcs12(cert_nick, password=p12_pin) if pin is _DEFAULT: pin = self.cert_password if cert_exists: @@ -1364,3 +1425,15 @@ class TestCertinstall(CALessBase): pin=None, stdin_text=self.cert_password + '\n') assert result.returncode == 0 + + def test_no_http_password(self): + "Install new HTTP certificate with no PKCS#12 password" + + result = self.certinstall('w', 'ca1/server', pin='', p12_pin='') + assert result.returncode == 0 + + def test_no_ds_password(self): + "Install new DS certificate with no PKCS#12 password" + + result = self.certinstall('w', 'ca1/server', pin='', p12_pin='') + assert result.returncode == 0