ipatests: Check permissions of /etc/ipa/ca.crt new installations

It should be 0644 root:root for both CA-ful and CA-less installs. https://pagure.io/freeipa/issue/8441 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-08-04 15:12:20 -04:00 · 2020-08-04 15:12:20 -04:00 · 7e37b45e02
commit 7e37b45e02
parent ec367aa479
2 changed files with 18 additions and 0 deletions
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@ -394,6 +394,14 @@ class CALessBase(IntegrationTest):
                         host, cert_from_ldap.public_bytes(x509.Encoding.PEM))
            assert cert_from_ldap == expected_cacrt

+            result = host.run_command(
+                ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
+            )
+            (owner, group, mode) = result.stdout_text.strip().split(':')
+            assert owner == "root"
+            assert group == "root"
+            assert mode == "644"
+
            # Verify certmonger was not started
            result = host.run_command(['getcert', 'list'], raiseonerr=False)
            assert result.returncode == 0
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@ -346,6 +346,16 @@ class TestInstallCA(IntegrationTest):
        status = tasks.wait_for_request(self.master, request_id[0], 300)
        assert status == "MONITORING"

+    def test_ipa_ca_crt_permissions(self):
+        """Verify that /etc/ipa/ca.cert is mode 0644 root:root"""
+        result = self.master.run_command(
+            ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
+        )
+        out = str(result.stdout_text.strip())
+        (owner, group, mode) = out.split(':')
+        assert mode == "644"
+        assert owner == "root"
+        assert group == "root"

 class TestInstallWithCA_KRA1(InstallTestBase1):