IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

test_caless: test PKINIT install and anchor update

Browse Source 
Add test case for installing PKINIT and anchor update when using
3rd party CA after caless installation. Related to #6831 issue.

https://pagure.io/freeipa/issue/7233

Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Michal Reznik
2017-10-25 18:08:03 +02:00
committed by Christian Heimes
parent dbb7784b90
commit 434d7d423c
1 changed files with 34 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
ipatests/test_integration/test_caless.py
View File

@@ -123,6 +123,8 @@ class CALessBase(IntegrationTest):
def install(cls, mh): def install(cls, mh):
cls.cert_dir = tempfile.mkdtemp(prefix="ipatest-") cls.cert_dir = tempfile.mkdtemp(prefix="ipatest-")
cls.pem_filename = os.path.join(cls.cert_dir, 'root.pem') cls.pem_filename = os.path.join(cls.cert_dir, 'root.pem')
cls.ca2_crt = 'ca2_crt.pem'
cls.ca2_kdc_crt = 'ca2_kdc_crt.pem'
cls.cert_password = cls.master.config.admin_password cls.cert_password = cls.master.config.admin_password
cls.crl_path = os.path.join(cls.master.config.test_dir, 'crl') cls.crl_path = os.path.join(cls.master.config.test_dir, 'crl')
@@ -324,7 +326,7 @@ class CALessBase(IntegrationTest):
# to construct whole chain e.g "ca1 - ca1/sub - ca1/sub/server" # to construct whole chain e.g "ca1 - ca1/sub - ca1/sub/server"
for index, _value in enumerate(nick_chain): for index, _value in enumerate(nick_chain):
cert_nick = '/'.join(nick_chain[:index+1]) cert_nick = '/'.join(nick_chain[:index + 1])
cert_path = '{}.crt'.format(os.path.join(cls.cert_dir, cert_nick)) cert_path = '{}.crt'.format(os.path.join(cls.cert_dir, cert_nick))
if os.path.isfile(cert_path): if os.path.isfile(cert_path):
fname_chain.append(cert_path) fname_chain.append(cert_path)
@@ -337,15 +339,17 @@ class CALessBase(IntegrationTest):
ipautil.run(["openssl", "pkcs12", "-export", "-out", filename, ipautil.run(["openssl", "pkcs12", "-export", "-out", filename,
"-inkey", key_fname, "-in", certchain_fname, "-passin", "-inkey", key_fname, "-in", certchain_fname, "-passin",
"pass:"+cls.cert_password, "-passout", "pass:"+password, "pass:" + cls.cert_password, "-passout", "pass:" +
"-name", nickname], cwd=cls.cert_dir) password, "-name", nickname], cwd=cls.cert_dir)
@classmethod @classmethod
def prepare_cacert(cls, nickname): def prepare_cacert(cls, nickname, filename=None):
""" Prepare pem file for root_ca_file/ca-cert-file option """ """ Prepare pem file for root_ca_file/ca-cert-file option """
if filename is None:
filename = cls.pem_filename.split(os.sep)[-1]
# create_caless_pki saves certificates with ".crt" extension by default # create_caless_pki saves certificates with ".crt" extension by default
fname_from_nick = '{}.crt'.format(os.path.join(cls.cert_dir, nickname)) fname_from_nick = '{}.crt'.format(os.path.join(cls.cert_dir, nickname))
shutil.copy(fname_from_nick, cls.pem_filename) shutil.copy(fname_from_nick, os.path.join(cls.cert_dir, filename))
@classmethod @classmethod
def get_pem(cls, nickname): def get_pem(cls, nickname):
@@ -436,7 +440,10 @@ class TestServerInstall(CALessBase):
self.create_pkcs12('ca1/server') self.create_pkcs12('ca1/server')
self.prepare_cacert('ca1') self.prepare_cacert('ca1')
self.prepare_cacert('ca2') self.prepare_cacert('ca2', filename=self.ca2_crt)
with open(self.pem_filename, 'a') as ca1:
with open(os.path.join(self.cert_dir, self.ca2_crt), 'r') as ca2:
ca1.write(ca2.read())
result = self.install_server() result = self.install_server()
assert_error(result, 'root.pem contains more than one certificate') assert_error(result, 'root.pem contains more than one certificate')
@@ -1270,7 +1277,7 @@ class TestCertInstall(CALessBase):
filename='server.p12', pin=_DEFAULT, stdin_text=None, filename='server.p12', pin=_DEFAULT, stdin_text=None,
p12_pin=None, args=None): p12_pin=None, args=None):
if cert_nick: if cert_nick:
self.create_pkcs12(cert_nick, password=p12_pin) self.create_pkcs12(cert_nick, password=p12_pin, filename=filename)
if pin is _DEFAULT: if pin is _DEFAULT:
pin = self.cert_password pin = self.cert_password
if cert_exists: if cert_exists:
@@ -1496,6 +1503,26 @@ class TestCertInstall(CALessBase):
args=args, stdin_text=stdin_text) args=args, stdin_text=stdin_text)
assert_error(result, "no such option: --dirsrv-pin") assert_error(result, "no such option: --dirsrv-pin")
def test_anon_pkinit_with_external_CA(self):
test_dir = self.master.config.test_dir
self.prepare_cacert('ca2', filename=self.ca2_crt)
self.copy_cert(self.master, self.ca2_crt)
result = self.master.run_command(['ipa-cacert-manage', 'install',
os.path.join(test_dir, self.ca2_crt)]
)
assert result.returncode == 0
result = self.master.run_command(['ipa-certupdate'])
assert result.returncode == 0
result = self.certinstall('k', 'ca2/server-kdc',
filename=self.ca2_kdc_crt)
assert result.returncode == 0
result = self.master.run_command(['systemctl', 'restart', 'krb5kdc'])
assert result.returncode == 0
result = self.master.run_command(['kinit', '-n'])
assert result.returncode == 0
class TestPKINIT(CALessBase): class TestPKINIT(CALessBase):
"""Install master and replica with PKINIT""" """Install master and replica with PKINIT"""