test_external_ca: selfsigned->ext_ca->selfsigned

Add selfsigned > external_ca > selfsigned test case. Covers Pagure issue #7106 https://pagure.io/freeipa/issue/7302 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-12-06 11:53:35 +01:00 · 2017-12-06 11:53:35 +01:00 · ad996d79c6
commit ad996d79c6
parent efe21a1bda
1 changed files with 106 additions and 19 deletions
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@ -15,11 +15,53 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

-import os
+import re
+import time

 from ipatests.pytest_plugins.integration import tasks
 from ipatests.test_integration.base import IntegrationTest
-from ipatests.test_integration.create_external_ca import ExternalCA
+from ipaplatform.paths import paths
+
+from itertools import chain, repeat
+
+IPA_CA = 'ipa_ca.crt'
+ROOT_CA = 'root_ca.crt'
+
+# string to identify PKI restart in the journal
+PKI_START_STR = 'Started pki_tomcatd'
+
+
+def check_CA_flag(host, nssdb=paths.PKI_TOMCAT_ALIAS_DIR,
+                  cn='example.test'):
+    """
+    Check if external CA (by default 'example.test' in our test env) has
+    CA flag in nssdb.
+    """
+    result = host.run_command(['certutil', '-L', '-d', nssdb])
+    text = result.stdout_text
+
+    # match CN in cert nickname and C flag in SSL section of NSS flags table
+    match_CA_flag = re.compile('.*{}.*\s+C'.format(cn))
+    match = re.search(match_CA_flag, text)
+
+    return match
+
+
+def match_in_journal(host, string, since='today', services=('certmonger',)):
+    """
+    Returns match object for the particular string.
+    """
+    # prepend '-u' before every service name
+    service_args = list(chain.from_iterable(list(zip(repeat('-u'), services))))
+    command_args = ['journalctl', '--since={}'.format(since)] + service_args
+    result = host.run_command(command_args)
+
+    output = result.stdout_text
+
+    traceback = re.compile(string)
+    match = re.search(traceback, output)
+
+    return match


 class TestExternalCA(IntegrationTest):
@ -40,23 +82,9 @@ class TestExternalCA(IntegrationTest):
            '--external-ca'
        ])

-        test_dir = self.master.config.test_dir
-
-        # Get IPA CSR as bytes
-        ipa_csr = self.master.get_file_contents('/root/ipa.csr')
-
-        external_ca = ExternalCA()
-        # Create root CA
-        root_ca = external_ca.create_ca()
-        # Sign CSR
-        ipa_ca = external_ca.sign_csr(ipa_csr)
-
-        root_ca_fname = os.path.join(test_dir, 'root_ca.crt')
-        ipa_ca_fname = os.path.join(test_dir, 'ipa_ca.crt')
-
-        # Transport certificates (string > file) to master
-        self.master.put_file_contents(root_ca_fname, root_ca)
-        self.master.put_file_contents(ipa_ca_fname, ipa_ca)
+        # Sign CA, transport it to the host and get ipa a root ca paths.
+        root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
+            self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)

        # Step 2 of ipa-server-install
        self.master.run_command([
@ -71,3 +99,62 @@ class TestExternalCA(IntegrationTest):
        tasks.kinit_admin(self.master)
        result = self.master.run_command(['ipa', 'user-show', 'admin'])
        assert 'User login: admin' in result.stdout_text
+
+
+class TestSelfExternalSelf(IntegrationTest):
+    """
+    Test self-signed > external CA > self-signed test case.
+    """
+    def test_install_master(self):
+        result = tasks.install_master(self.master)
+        assert result.returncode == 0
+
+    def test_switch_to_external_ca(self):
+
+        result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
+                                         '--external-ca'])
+        assert result.returncode == 0
+
+        # Sign CA, transport it to the host and get ipa a root ca paths.
+        root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
+            self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA)
+
+        # renew CA with externally signed one
+        result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
+                                          '--external-cert-file={}'.
+                                          format(ipa_ca_fname),
+                                          '--external-cert-file={}'.
+                                          format(root_ca_fname)])
+        assert result.returncode == 0
+
+        # update IPA certificate databases
+        result = self.master.run_command([paths.IPA_CERTUPDATE])
+        assert result.returncode == 0
+
+        # Check if external CA have "C" flag after the switch
+        result = check_CA_flag(self.master)
+        assert bool(result), ('External CA does not have "C" flag')
+
+    def test_switch_back_to_self_signed(self):
+
+        # for journalctl --since
+        switch_time = time.strftime('%H:%M:%S')
+        # switch back to self-signed CA
+        result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
+                                          '--self-signed'])
+        assert result.returncode == 0
+
+        # Confirm there is no traceback in the journal
+        result = match_in_journal(self.master, since=switch_time,
+                                  string='Traceback')
+        assert not bool(result), ('"Traceback" keyword found in the journal.'
+                                  'Please check further')
+
+        # Check if pki-tomcatd was started after switching back.
+        result = match_in_journal(self.master, since=switch_time,
+                                  string=PKI_START_STR)
+        assert bool(result), ('pki_tomcatd not started after switching back to'
+                              'self-signed CA')
+
+        result = self.master.run_command([paths.IPA_CERTUPDATE])
+        assert result.returncode == 0