mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Adding test-cases for ipa-cacert-manage
Scenario1: Setup external CA1 and install ipa-server with CA1.
Setup exteranal CA2 and renew ipa-server with CA2.
Get information to compare CA change for ca1 and CA2
it should show different Issuer between install
and renewal.
Scenario2: Renew CA Cert on Replica using ipa-cacert-manage
verify that replica is caRenewalMaster
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Anuja More
Christian Heimes
parent
61dc15e5ef
commit
51b9a82f7c
@ -20,6 +20,7 @@ from __future__ import absolute_import
|
|||||||
import os
|
import os
|
||||||
import re
|
import re
|
||||||
import time
|
import time
|
||||||
|
import tempfile
|
||||||
|
|
||||||
from ipatests.pytest_plugins.integration import tasks
|
from ipatests.pytest_plugins.integration import tasks
|
||||||
from ipatests.test_integration.base import IntegrationTest
|
from ipatests.test_integration.base import IntegrationTest
|
||||||
@ -279,3 +280,60 @@ class TestExternalCAInstall(IntegrationTest):
|
|||||||
# Install new cert
|
# Install new cert
|
||||||
self.master.run_command([paths.IPA_CACERT_MANAGE, 'install',
|
self.master.run_command([paths.IPA_CACERT_MANAGE, 'install',
|
||||||
root_ca_fname])
|
root_ca_fname])
|
||||||
|
|
||||||
|
|
||||||
|
class TestMultipleExternalCA(IntegrationTest):
|
||||||
|
"""Setup externally signed ca1
|
||||||
|
|
||||||
|
install ipa-server with externally signed ca1
|
||||||
|
Setup externally signed ca2 and renew ipa-server with
|
||||||
|
externally signed ca2 and check the difference in certificate
|
||||||
|
"""
|
||||||
|
|
||||||
|
def test_master_install_ca1(self):
|
||||||
|
install_server_external_ca_step1(self.master)
|
||||||
|
# Sign CA, transport it to the host and get ipa a root ca paths.
|
||||||
|
root_ca_fname1 = tempfile.mkdtemp(suffix='root_ca.crt', dir=paths.TMP)
|
||||||
|
ipa_ca_fname1 = tempfile.mkdtemp(suffix='ipa_ca.crt', dir=paths.TMP)
|
||||||
|
|
||||||
|
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
|
||||||
|
|
||||||
|
external_ca = ExternalCA()
|
||||||
|
root_ca = external_ca.create_ca(cn='RootCA1')
|
||||||
|
ipa_ca = external_ca.sign_csr(ipa_csr)
|
||||||
|
self.master.put_file_contents(root_ca_fname1, root_ca)
|
||||||
|
self.master.put_file_contents(ipa_ca_fname1, ipa_ca)
|
||||||
|
# Step 2 of ipa-server-install.
|
||||||
|
install_server_external_ca_step2(self.master, ipa_ca_fname1,
|
||||||
|
root_ca_fname1)
|
||||||
|
|
||||||
|
cert_nick = "caSigningCert cert-pki-ca"
|
||||||
|
result = self.master.run_command([
|
||||||
|
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
|
||||||
|
'-n', cert_nick])
|
||||||
|
assert "CN=RootCA1" in result.stdout_text
|
||||||
|
|
||||||
|
def test_master_install_ca2(self):
|
||||||
|
root_ca_fname2 = tempfile.mkdtemp(suffix='root_ca.crt', dir=paths.TMP)
|
||||||
|
ipa_ca_fname2 = tempfile.mkdtemp(suffix='ipa_ca.crt', dir=paths.TMP)
|
||||||
|
|
||||||
|
self.master.run_command([
|
||||||
|
paths.IPA_CACERT_MANAGE, 'renew', '--external-ca'])
|
||||||
|
|
||||||
|
ipa_csr = self.master.get_file_contents(paths.IPA_CA_CSR)
|
||||||
|
|
||||||
|
external_ca = ExternalCA()
|
||||||
|
root_ca = external_ca.create_ca(cn='RootCA2')
|
||||||
|
ipa_ca = external_ca.sign_csr(ipa_csr)
|
||||||
|
self.master.put_file_contents(root_ca_fname2, root_ca)
|
||||||
|
self.master.put_file_contents(ipa_ca_fname2, ipa_ca)
|
||||||
|
# Step 2 of ipa-server-install.
|
||||||
|
self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
|
||||||
|
'--external-cert-file', ipa_ca_fname2,
|
||||||
|
'--external-cert-file', root_ca_fname2])
|
||||||
|
|
||||||
|
cert_nick = "caSigningCert cert-pki-ca"
|
||||||
|
result = self.master.run_command([
|
||||||
|
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
|
||||||
|
'-n', cert_nick])
|
||||||
|
assert "CN=RootCA2" in result.stdout_text
|
||||||
|
|||||||
@ -484,6 +484,19 @@ class TestRenewalMaster(IntegrationTest):
|
|||||||
"Replica hostname found among CA renewal masters"
|
"Replica hostname found among CA renewal masters"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_renewal_replica_with_ipa_ca_cert_manage(self):
|
||||||
|
"""Make replica as IPA CA renewal master using
|
||||||
|
ipa-cacert-manage --renew"""
|
||||||
|
master = self.master
|
||||||
|
replica = self.replicas[0]
|
||||||
|
self.assertCARenewalMaster(master, master.hostname)
|
||||||
|
replica.run_command([paths.IPA_CACERT_MANAGE, 'renew'])
|
||||||
|
self.assertCARenewalMaster(replica, replica.hostname)
|
||||||
|
# set master back to ca-renewal-master
|
||||||
|
master.run_command([paths.IPA_CACERT_MANAGE, 'renew'])
|
||||||
|
self.assertCARenewalMaster(master, master.hostname)
|
||||||
|
self.assertCARenewalMaster(replica, master.hostname)
|
||||||
|
|
||||||
def test_manual_renewal_master_transfer(self):
|
def test_manual_renewal_master_transfer(self):
|
||||||
replica = self.replicas[0]
|
replica = self.replicas[0]
|
||||||
replica.run_command(['ipa', 'config-mod',
|
replica.run_command(['ipa', 'config-mod',
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user