ipatests: tests related to --token-password-file

Test automation added around the --token-password-file option for server/replica/kra install. Related: https://pagure.io/freeipa/issue/9603 Signed-off-by: Mohammad Rizwan <myusuf@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-12-22 15:13:50 -06:00 · 2024-06-13 14:07:57 +05:30 · 2024-06-13 14:07:57 +05:30 · 4ea1ad6aca
commit 4ea1ad6aca
parent 7ab1bcb2d3
1 changed files with 77 additions and 8 deletions
--- a/ipatests/test_integration/test_hsm.py
+++ b/ipatests/test_integration/test_hsm.py
@ -163,6 +163,7 @@ class BaseHSMTest(IntegrationTest):
    master_extra_args = []
    token_password = None
    token_name = None
+    token_password_file = '/tmp/token_password'
    random_serial = False

    @classmethod
@ -191,7 +192,7 @@ class BaseHSMTest(IntegrationTest):
        delete_hsm_token([cls.master] + cls.replicas, cls.token_name)

    @classmethod
-    def sync_tokens(cls, source):
+    def sync_tokens(cls, source, token_name=None):
        """Synchronize non-networked HSM tokens between machines
           source: source host for the token data
        """
@ -207,7 +208,8 @@ class BaseHSMTest(IntegrationTest):
        for host in [cls.master] + cls.replicas:
            if host == source:
                continue
-            copy_token_files(source, [host], cls.token_name)
+            copy_token_files(source, [host],
+                             token_name if token_name else cls.token_name)


 class TestHSMInstall(BaseHSMTest):
@ -218,6 +220,10 @@ class TestHSMInstall(BaseHSMTest):

    def test_hsm_install_replica0_ca_less_install(self):
        check_version(self.master)
+
+        self.master.put_file_contents(
+            self.token_password_file, self.token_password
+        )
        tasks.install_replica(
            self.master, self.replicas[0], setup_ca=False,
            setup_dns=True,
@ -307,6 +313,50 @@ class TestHSMInstall(BaseHSMTest):
        assert returncode == 0
        assert output == "No issues found."

+    def test_hsm_install_server_password_file(self):
+        check_version(self.master)
+        # cleanup before fresh install with password file
+        for client in self.clients:
+            tasks.uninstall_client(client)
+
+        for replica in self.replicas:
+            tasks.uninstall_master(replica)
+
+        tasks.uninstall_master(self.master)
+
+        delete_hsm_token([self.master] + self.replicas, self.token_name)
+        self.token_name, self.token_password = get_hsm_token(self.master)
+        self.master.put_file_contents(self.token_password_file,
+                                      self.token_password)
+        self.replicas[0].put_file_contents(self.token_password_file,
+                                           self.token_password)
+
+        tasks.install_master(
+            self.master, setup_dns=self.master_with_dns,
+            setup_kra=self.master_with_kra,
+            setup_adtrust=self.master_with_ad,
+            extra_args=(
+                '--token-name', self.token_name,
+                '--token-library-path', hsm_lib_path,
+                '--token-password-file', self.token_password_file
+            )
+        )
+        self.sync_tokens(self.master, token_name=self.token_name)
+
+    def test_hsm_install_replica0_password_file(self):
+        check_version(self.master)
+        tasks.install_replica(
+            self.master, self.replicas[0], setup_ca=True,
+            extra_args=('--token-password-file', self.token_password_file,)
+        )
+
+    def test_hsm_install_replica0_kra_password_file(self):
+        check_version(self.master)
+        tasks.install_kra(
+            self.replicas[0],
+            extra_args=('--token-password-file', self.token_password_file,)
+        )
+

 class TestHSMInstallADTrustBase(BaseHSMTest):
    """
@ -321,7 +371,7 @@ class TestHSMInstallADTrustBase(BaseHSMTest):
        check_version(self.master)
        tasks.install_replica(
            self.master, self.replicas[0], setup_ca=True,
-            setup_adtrust=True, setup_kra=True, setup_dns=True,
+            setup_adtrust=False, setup_kra=True, setup_dns=True,
            nameservers='master' if self.master_with_dns else None,
            extra_args=('--token-password', self.token_password,)
        )
@ -356,7 +406,8 @@ class TestHSMcertRenewal(BaseHSMTest):
            'auditSigningCert cert-pki-ca': 'caauditSigningCert'
        }
        CA_TRACKING_REQS.update(KRA_TRACKING_REQS)
-        self.master.put_file_contents('/tmp/token_passwd', self.token_password)
+        self.master.put_file_contents(self.token_password_file,
+                                      self.token_password)
        for nickname in CA_TRACKING_REQS:
            cert = tasks.certutil_fetch_cert(
                self.master,
@ -772,6 +823,7 @@ class TestHSMcertFixReplica(BaseHSMTest):
 class TestHSMNegative(IntegrationTest):

    master_with_dns = False
+    token_password_file = '/tmp/token_password'

    @classmethod
    def install(cls, mh):
@ -792,7 +844,6 @@ class TestHSMNegative(IntegrationTest):
                '--token-password', self.token_password
            )
        )
-        # assert 'error message non existing token name' in result.stderr_text
        assert result.returncode != 0

        # wrong token password
@ -804,7 +855,6 @@ class TestHSMNegative(IntegrationTest):
                '--token-password', 'token_passwd'
            )
        )
-        # assert 'error message wrong  passwd' in result.stderr_text
        assert result.returncode != 0

        # wrong token lib
@ -816,7 +866,6 @@ class TestHSMNegative(IntegrationTest):
                '--token-password', self.token_password
            )
        )
-        # assert 'error message non existing token lib' in result.stderr_text
        assert result.returncode != 0

    def test_hsm_negative_special_char_token_name(self):
@ -842,7 +891,27 @@ class TestHSMNegative(IntegrationTest):
                '--token-password', token_passwd
            )
        )
-        # assert 'error message non existing token lib' in result.stderr_text
+        assert result.returncode != 0
+
+    def test_hsm_negative_token_password_and_file(self):
+        """Test token-password and token-password-file at same time
+
+        Test if command fails when --token-password and --token-password-file
+        provided at the same time results into command failure.
+        """
+        check_version(self.master)
+        self.master.put_file_contents(
+            self.token_password_file, self.token_password
+        )
+        result = tasks.install_master(
+            self.master, raiseonerr=False,
+            extra_args=(
+                '--token-name', self.token_name,
+                '--token-library-path', hsm_lib_path,
+                '--token-password', self.token_password,
+                '--token-password-file', self.token_password_file
+            )
+        )
        assert result.returncode != 0