IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipatests: Respect platform's openssl dir

Browse Source 
There are different build configurations of OpenSSL from one distro
to another. For example,

Debian: '--openssldir=/usr/lib/ssl',
Fedora: '--openssldir=/etc/pki/tls',
openSUSE: '--openssldir=/etc/ssl',
ALTLinux: '--openssldir=/var/lib/ssl'.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Stanislav Levin 2019-09-30 14:59:25 +03:00 committed by Alexander Bokovoy
parent a33530f2f6
commit be006ad6c4
6 changed files with 119 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ipaplatform/base/paths.py
View File

@ -215,6 +215,9 @@ class BasePathNamespace:
ODS_ENFORCER = "/usr/sbin/ods-enforcer"
ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
OPENSSL = "/usr/bin/openssl"
OPENSSL_DIR = "/etc/pki/tls"
OPENSSL_CERTS_DIR = "/etc/pki/tls/certs"
OPENSSL_PRIVATE_DIR = "/etc/pki/tls/private"
PK12UTIL = "/usr/bin/pk12util"
SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
SSLGET = "/usr/bin/sslget"

3
ipaplatform/debian/paths.py
View File

@ -43,6 +43,9 @@ class DebianPathNamespace(BasePathNamespace):
NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic"
CHRONY_CONF = "/etc/chrony/chrony.conf"
OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
OPENSSL_DIR = "/usr/lib/ssl"
OPENSSL_CERTS_DIR = "/usr/lib/ssl/certs"
OPENSSL_PRIVATE_DIR = "/usr/lib/ssl/private"
ETC_DEBIAN_VERSION = "/etc/debian_version"
# Old versions of freeipa wrote all trusted certificates to a single
# file, which is not supported by ca-certificates.

3
ipaplatform/suse/paths.py
View File

@ -29,6 +29,9 @@ class SusePathNamespace(BasePathNamespace):
NAMED_CUSTOM_OPTIONS_CONF = "/etc/named.d/ipa-options-ext.conf"
NAMED_VAR_DIR = "/var/lib/named"
NAMED_MANAGED_KEYS_DIR = "/var/lib/named/dyn"
OPENSSL_DIR = "/etc/ssl"
OPENSSL_CERTS_DIR = "/etc/ssl/certs"
OPENSSL_PRIVATE_DIR = "/etc/ssl/private"
IPA_P11_KIT = "/etc/pki/trust/ipa.p11-kit"
# Those files are only here to be able to configure them, we copy those in
# rpm spec to fillupdir

92
ipatests/test_integration/test_cert.py
View File

@ -6,6 +6,8 @@
Module provides tests which testing ability of various certificate
related scenarios.
"""
import os
import ipaddress
import pytest
import random
@ -78,11 +80,13 @@ class TestInstallMasterClient(IntegrationTest):
related: https://pagure.io/freeipa/issue/8105
"""
cmd_arg = ['ipa-getcert', 'request',
'-f', '/etc/pki/tls/certs/test.pem',
'-k', '/etc/pki/tls/private/test.key',
'-K', 'test/%s' % self.clients[0].hostname,
'-F', '/etc/pki/tls/test.CA']
cmd_arg = [
"ipa-getcert", "request",
"-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),
"-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),
"-K", "test/%s" % self.clients[0].hostname,
"-F", os.path.join(paths.OPENSSL_DIR, "test.CA"),
]
result = self.clients[0].run_command(cmd_arg)
request_id = re.findall(r'\d+', result.stdout_text)
@ -90,13 +94,15 @@ class TestInstallMasterClient(IntegrationTest):
status = tasks.wait_for_request(self.clients[0], request_id[0], 50)
assert status == "MONITORING"
self.clients[0].run_command(['ls', '-l', '/etc/pki/tls/test.CA'])
self.clients[0].run_command(
["ls", "-l", os.path.join(paths.OPENSSL_DIR, "test.CA")]
)
def test_ipa_getcert_san_aci(self):
"""Test for DNS and IP SAN extensions + ACIs
"""
hostname = self.clients[0].hostname
certfile = '/etc/pki/tls/certs/test2.pem'
certfile = os.path.join(paths.OPENSSL_CERTS_DIR, "test2.pem")
tasks.kinit_admin(self.master)
@ -117,7 +123,7 @@ class TestInstallMasterClient(IntegrationTest):
cmd_arg = [
'ipa-getcert', 'request', '-v', '-w',
'-f', certfile,
'-k', '/etc/pki/tls/private/test2.key',
'-k', os.path.join(paths.OPENSSL_PRIVATE_DIR, "test2.key"),
'-K', f'test/{hostname}',
'-D', hostname,
'-A', self.clients[0].ip,
@ -182,9 +188,11 @@ class TestInstallMasterClient(IntegrationTest):
self.master.run_command(["ipa", "ca-disable", "mysubca"])
self.master.run_command(["ipa", "ca-del", "mysubca"])
self.master.run_command(
["rm", "-fv", "/etc/pki/tls/private/test.key"]
["rm", "-fv", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key")]
)
self.master.run_command(
["rm", "-fv", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem")]
)
self.master.run_command(["rm", "-fv", "/etc/pki/tls/certs/test.pem"])
def test_getcert_list_profile_using_subca(self, test_subca_certs):
"""
@ -199,10 +207,8 @@ class TestInstallMasterClient(IntegrationTest):
"ipa",
"-I",
"test-request",
"-k",
"/etc/pki/tls/private/test.key",
"-f",
"/etc/pki/tls/certs/test.pem",
"-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),
"-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),
"-D",
self.master.hostname,
"-K",
@ -245,12 +251,21 @@ class TestCertmongerRekey(IntegrationTest):
string.ascii_lowercase
) for i in range(10)
)
self.master.run_command([
'ipa-getcert', 'request',
'-f', '/etc/pki/tls/certs/{}.pem'.format(self.request_id),
'-k', '/etc/pki/tls/private/{}.key'.format(self.request_id),
'-I', self.request_id,
'-K', 'test/{}'.format(self.master.hostname)])
self.master.run_command(
[
'ipa-getcert', 'request',
'-f',
os.path.join(
paths.OPENSSL_CERTS_DIR, f"{self.request_id}.pem",
),
'-k',
os.path.join(
paths.OPENSSL_PRIVATE_DIR, f"{self.request_id}.key"
),
'-I', self.request_id,
'-K', 'test/{}'.format(self.master.hostname)
]
)
status = tasks.wait_for_request(self.master, self.request_id, 100)
assert status == "MONITORING"
@ -260,16 +275,20 @@ class TestCertmongerRekey(IntegrationTest):
'-i', self.request_id])
self.master.run_command(
[
'rm',
'-rf',
'/etc/pki/tls/certs/{}.pem'.format(self.request_id)
"rm",
"-rf",
os.path.join(
paths.OPENSSL_CERTS_DIR, f"{self.request_id}.pem"
),
]
)
self.master.run_command(
[
'rm',
'-rf',
'/etc/pki/tls/private/{}.key'.format(self.request_id)
"rm",
"-rf",
os.path.join(
paths.OPENSSL_PRIVATE_DIR, f"{self.request_id}.key"
),
]
)
@ -283,7 +302,7 @@ class TestCertmongerRekey(IntegrationTest):
related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
"""
certdata = self.master.get_file_contents(
'/etc/pki/tls/certs/{}.pem'.format(self.request_id)
os.path.join(paths.OPENSSL_CERTS_DIR, f"{self.request_id}.pem")
)
cert = x509.load_pem_x509_certificate(
certdata, default_backend()
@ -299,7 +318,7 @@ class TestCertmongerRekey(IntegrationTest):
assert status == "MONITORING"
certdata = self.master.get_file_contents(
'/etc/pki/tls/certs/{}.pem'.format(self.request_id)
os.path.join(paths.OPENSSL_CERTS_DIR, f"{self.request_id}.pem")
)
cert = x509.load_pem_x509_certificate(
certdata, default_backend()
@ -352,11 +371,14 @@ class TestCertmongerRekey(IntegrationTest):
related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
"""
result = self.master.run_command([
'ipa-getcert', 'request',
'-f', '/etc/pki/tls/certs/test_dsa.pem',
'-k', '/etc/pki/tls/private/test_dsa.key',
'-K', 'test/{}'.format(self.master.hostname)])
result = self.master.run_command(
[
'ipa-getcert', 'request',
'-f', os.path.join(paths.OPENSSL_CERTS_DIR, "test_dsa.pem"),
'-k', os.path.join(paths.OPENSSL_PRIVATE_DIR, "test_dsa.key"),
'-K', 'test/{}'.format(self.master.hostname),
]
)
req_id = re.findall(r'\d+', result.stdout_text)
status = tasks.wait_for_request(self.master, req_id[0], 100)
assert status == "MONITORING"
@ -369,7 +391,9 @@ class TestCertmongerRekey(IntegrationTest):
time.sleep(100)
# look for keytpe as DSA in request file
self.master.run_command([
'grep', 'DSA', '/var/lib/certmonger/requests/{}'.format(req_id[0])
'grep',
'DSA',
os.path.join(paths.CERTMONGER_REQUESTS_DIR, req_id[0]),
])
err_msg = 'Unable to create enrollment request: Invalid Request'

55
ipatests/test_integration/test_epn.py
View File

@ -35,6 +35,7 @@ import textwrap
from subprocess import CalledProcessError
from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
@ -108,11 +109,17 @@ def configure_starttls(host):
Depends on configure_postfix() being executed first.
"""
host.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
host.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
host.run_command(
["rm", "-f", os.path.join(paths.OPENSSL_PRIVATE_DIR, "postfix.key")]
)
host.run_command(
["rm", "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "postfix.pem")]
)
host.run_command(["ipa-getcert", "request",
"-f", "/etc/pki/tls/certs/postfix.pem",
"-k", "/etc/pki/tls/private/postfix.key",
"-f",
os.path.join(paths.OPENSSL_CERTS_DIR, "postfix.pem"),
"-k",
os.path.join(paths.OPENSSL_PRIVATE_DIR, "postfix.key"),
"-K", "smtp/%s" % host.hostname,
"-D", host.hostname,
"-O", "postfix",
@ -123,8 +130,18 @@ def configure_starttls(host):
])
postconf(host, 'smtpd_tls_loglevel = 1')
postconf(host, 'smtpd_tls_auth_only = yes')
postconf(host, 'smtpd_tls_key_file = /etc/pki/tls/private/postfix.key')
postconf(host, 'smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem')
postconf(
host,
"smtpd_tls_key_file = {}".format(
os.path.join(paths.OPENSSL_PRIVATE_DIR, "postfix.key")
)
)
postconf(
host,
"smtpd_tls_cert_file = {}".format(
os.path.join(paths.OPENSSL_CERTS_DIR, "postfix.pem")
)
)
postconf(host, 'smtpd_tls_received_header = yes')
postconf(host, 'smtpd_tls_session_cache_timeout = 3600s')
@ -246,10 +263,28 @@ class TestEPN(IntegrationTest):
tasks.uninstall_packages(cls.clients[0], EPN_PKG)
tasks.uninstall_packages(cls.clients[0], ["postfix"])
cls.master.run_command(r'rm -f /etc/postfix/smtp.keytab')
cls.master.run_command(r'getcert stop-tracking -f '
'/etc/pki/tls/certs/postfix.pem')
cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
cls.master.run_command(
[
"getcert",
"stop-tracking",
"-f",
os.path.join(paths.OPENSSL_CERTS_DIR, "postfix.pem"),
]
)
cls.master.run_command(
[
"rm",
"-f",
os.path.join(paths.OPENSSL_PRIVATE_DIR, "postfix.key"),
]
)
cls.master.run_command(
[
"rm",
"-f",
os.path.join(paths.OPENSSL_CERTS_DIR, "postfix.pem"),
]
)
@pytest.mark.skip_if_platform(
"debian", reason="Cannot check installed packages using RPM"

9
ipatests/test_integration/test_replica_promotion.py
View File

@ -4,6 +4,7 @@
from __future__ import absolute_import
import os
import time
import re
import textwrap
@ -626,8 +627,12 @@ class TestSubCAkeyReplication(IntegrationTest):
master = self.master
replica = self.replicas[0]
TEST_KEY_FILE = '/etc/pki/tls/private/test_subca.key'
TEST_CRT_FILE = '/etc/pki/tls/private/test_subca.crt'
TEST_KEY_FILE = os.path.join(
paths.OPENSSL_PRIVATE_DIR, 'test_subca.key'
)
TEST_CRT_FILE = os.path.join(
paths.OPENSSL_PRIVATE_DIR, 'test_subca.crt'
)
caacl_cmd = [
'ipa', 'caacl-add-ca', 'hosts_services_caIPAserviceCert',