ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname

Add integration test that confirms that on CA-ful installation, the (non-3rd-party) HTTP certificate bears the ipa-ca.$DOMAIN DNS name. For detailed discussion on the purpose of this change and the design decisions made, see `git log -1 $THIS_COMMIT~4`. Part of: https://pagure.io/freeipa/issue/8186 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-03-10 18:34:03 +11:00 · 2020-03-10 18:34:03 +11:00 · 45b5384b6e
commit 45b5384b6e
parent cf4c2c64b0
1 changed files with 12 additions and 0 deletions
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@ -17,6 +17,7 @@ from datetime import datetime, timedelta

 import pytest
 from cryptography.hazmat.primitives import hashes
+from cryptography import x509 as crypto_x509

 from ipalib import x509
 from ipalib.constants import DOMAIN_LEVEL_0
@ -736,6 +737,17 @@ class TestInstallMaster(IntegrationTest):
                assert key_size == 2048
            assert cert.signature_hash_algorithm.name == hashes.SHA256.name

+    def test_http_cert(self):
+        """
+        Test that HTTP certificate contains ipa-ca.$DOMAIN
+        DNS name.
+
+        """
+        data = self.master.get_file_contents(paths.HTTPD_CERT_FILE)
+        cert = x509.load_pem_x509_certificate(data)
+        name = f'ipa-ca.{self.master.domain.name}'
+        assert crypto_x509.DNSName(name) in cert.san_general_names
+
    def test_p11_kit_softhsm2(self):
        # check that p11-kit-proxy does not inject SoftHSM2
        result = self.master.run_command([