From 45b5384b6ef83aaf742bf7906d846e07db874ef8 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 10 Mar 2020 18:34:03 +1100 Subject: [PATCH] ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname Add integration test that confirms that on CA-ful installation, the (non-3rd-party) HTTP certificate bears the ipa-ca.$DOMAIN DNS name. For detailed discussion on the purpose of this change and the design decisions made, see `git log -1 $THIS_COMMIT~4`. Part of: https://pagure.io/freeipa/issue/8186 Reviewed-By: Rob Crittenden --- ipatests/test_integration/test_installation.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 830203289..d8fad7e06 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -17,6 +17,7 @@ from datetime import datetime, timedelta import pytest from cryptography.hazmat.primitives import hashes +from cryptography import x509 as crypto_x509 from ipalib import x509 from ipalib.constants import DOMAIN_LEVEL_0 @@ -736,6 +737,17 @@ class TestInstallMaster(IntegrationTest): assert key_size == 2048 assert cert.signature_hash_algorithm.name == hashes.SHA256.name + def test_http_cert(self): + """ + Test that HTTP certificate contains ipa-ca.$DOMAIN + DNS name. + + """ + data = self.master.get_file_contents(paths.HTTPD_CERT_FILE) + cert = x509.load_pem_x509_certificate(data) + name = f'ipa-ca.{self.master.domain.name}' + assert crypto_x509.DNSName(name) in cert.san_general_names + def test_p11_kit_softhsm2(self): # check that p11-kit-proxy does not inject SoftHSM2 result = self.master.run_command([