ipatests: check KDC cert permissions in CA less install

The KDC certificate file must be stored with 644 permissions. Add a test checking the file permissions on server + replica. Related: https://pagure.io/freeipa/issue/8440 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-08-03 18:53:47 +02:00 · 2020-08-03 18:53:47 +02:00 · a26e0ba558
commit a26e0ba558
parent 9335bd9299
1 changed files with 9 additions and 0 deletions
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@ -1527,6 +1527,13 @@ class TestCertInstall(CALessBase):
        assert result.returncode == 0


+def verify_kdc_cert_perms(host):
+    """Verify that the KDC cert pem file has 0644 perms"""
+    cmd = host.run_command(['stat', '-c',
+                           '"%a %G:%U"', paths.KDC_CERT])
+    assert "644 root:root" in cmd.stdout_text
+
+
 class TestPKINIT(CALessBase):
    """Install master and replica with PKINIT"""
    num_replicas = 1
@ -1540,6 +1547,7 @@ class TestPKINIT(CALessBase):
        result = cls.install_server(pkinit_pkcs12_exists=True,
                                    pkinit_pin=_DEFAULT)
        assert result.returncode == 0
+        verify_kdc_cert_perms(cls.master)

    @replica_install_teardown
    def test_server_replica_install_pkinit(self):
@ -1549,6 +1557,7 @@ class TestPKINIT(CALessBase):
                                      pkinit_pin=_DEFAULT)
        assert result.returncode == 0
        self.verify_installation()
+        verify_kdc_cert_perms(self.replicas[0])


 class TestServerReplicaCALessToCAFull(CALessBase):