mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-12 09:11:55 -06:00
ipatests: CA renewal must refresh cn=CAcert
Add a test checking that the entry cn=CAcert,cn=ipa,cn=etc,BASEDN is properly updated when the CA is renewed The test also checks that the entry cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN properly contains ipaconfigstring: compatCA ipaconfigstring: ipaCA Related to https://pagure.io/freeipa/issue/7928 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
parent
9cd88587e4
commit
4804103315
@ -27,7 +27,9 @@ from cryptography.hazmat.backends import default_backend
|
||||
|
||||
from ipatests.pytest_ipa.integration import tasks
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
from ipalib import x509 as ipa_x509
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython.dn import DN
|
||||
|
||||
from itertools import chain, repeat
|
||||
from ipatests.create_external_ca import ExternalCA, ISSUER_CN
|
||||
@ -191,6 +193,32 @@ class TestExternalCA(IntegrationTest):
|
||||
'-U'])
|
||||
|
||||
|
||||
def verify_caentry(host, cert):
|
||||
"""
|
||||
Verify the content of cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,basedn
|
||||
and make sure that ipaConfigString contains the expected values.
|
||||
Verify the content of cn=cacert,cn=certificates,cn=ipa,cn=etc,basedn
|
||||
and make sure that it contains the expected certificate.
|
||||
"""
|
||||
# Check the LDAP entry
|
||||
ldap = host.ldap_connect()
|
||||
# cn=DOMAIN IPA CA must contain ipaConfigString: ipaCa, compatCA
|
||||
ca_nick = '{} IPA CA'.format(host.domain.realm)
|
||||
entry = ldap.get_entry(DN(('cn', ca_nick), ('cn', 'certificates'),
|
||||
('cn', 'ipa'), ('cn', 'etc'),
|
||||
host.domain.basedn))
|
||||
ipaconfigstring = [x.lower() for x in entry.get('ipaconfigstring')]
|
||||
expected = ['compatca', 'ipaca']
|
||||
assert expected == sorted(ipaconfigstring)
|
||||
|
||||
# cn=cacert,cn=certificates,cn=etc,basedn must contain the latest
|
||||
# IPA CA
|
||||
entry2 = ldap.get_entry(DN(('cn', 'CACert'), ('cn', 'ipa'),
|
||||
('cn', 'etc'), host.domain.basedn))
|
||||
cert_from_ldap = entry2.single_value['cACertificate']
|
||||
assert cert == cert_from_ldap
|
||||
|
||||
|
||||
class TestSelfExternalSelf(IntegrationTest):
|
||||
"""
|
||||
Test self-signed > external CA > self-signed test case.
|
||||
@ -199,6 +227,11 @@ class TestSelfExternalSelf(IntegrationTest):
|
||||
result = tasks.install_master(self.master)
|
||||
assert result.returncode == 0
|
||||
|
||||
# Check the content of the ldap entries for the CA
|
||||
remote_cacrt = self.master.get_file_contents(paths.IPA_CA_CRT)
|
||||
cacrt = ipa_x509.load_pem_x509_certificate(remote_cacrt)
|
||||
verify_caentry(self.master, cacrt)
|
||||
|
||||
def test_switch_to_external_ca(self):
|
||||
|
||||
result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
|
||||
@ -225,6 +258,11 @@ class TestSelfExternalSelf(IntegrationTest):
|
||||
result = check_CA_flag(self.master)
|
||||
assert bool(result), ('External CA does not have "C" flag')
|
||||
|
||||
# Check that ldap entries for the CA have been updated
|
||||
remote_cacrt = self.master.get_file_contents(ipa_ca_fname)
|
||||
cacrt = ipa_x509.load_pem_x509_certificate(remote_cacrt)
|
||||
verify_caentry(self.master, cacrt)
|
||||
|
||||
def test_issuerDN_after_renew_to_external(self):
|
||||
""" Check if issuer DN is updated after self-signed > external-ca
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user