IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-26 16:16:31 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add tests for Random Serial Number v3 support

Browse Source 
Extend existing tests and enabled random serial numbers
during installation. A subset of tests was identified that
exercise the code sufficiently to ensure proper operation.

Update the xml-rpc test to allow the new RSN version number
attribute.

Update some certificate tests where a specifc serial number
is expected.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Rob Crittenden 2022-06-03 18:28:38 +00:00 committed by Florence Blanc-Renaud
parent beaa0562dc
commit d241d7405f
14 changed files with 475 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
ipatests/prci_definitions/nightly_latest.yaml
View File

@ -1773,3 +1773,51 @@ jobs:
template: *ci-master-latest
timeout: 5000
topology: *master_1repl
fedora-latest/test_random_serial_numbers_TestInstallWithCA_DNS1_RSN:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN
template: *ci-master-latest
timeout: 10800
topology: *master_3repl_1client
fedora-latest/test_random_serial_numbers_TestInstallWithCA_KRA1_RSN:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN
template: *ci-master-latest
timeout: 10800
topology: *master_3repl_1client
fedora-latest/test_random_serial_numbers_test_commands_RSN:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_certificate_out_write_to_file
template: *ci-master-latest
timeout: 5400
topology: *master_1repl_1client
fedora-latest/test_caless_TestServerCALessToExternalCA_RSN:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
template: *ci-master-latest
timeout: 5400
topology: *master_1repl

56
ipatests/prci_definitions/nightly_latest_pki.yaml
View File

@ -984,3 +984,59 @@ jobs:
template: *ci-master-latest
timeout: 5000
topology: *master_1repl
pki-fedora/test_random_serial_numbers_TestInstallWithCA_DNS1_RSN:
requires: [pki-fedora/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{pki-fedora/build_url}'
update_packages: True
copr: '@pki/master'
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN
template: *ci-master-latest
timeout: 10800
topology: *master_3repl_1client
pki-fedora/test_random_serial_numbers_TestInstallWithCA_KRA1_RSN:
requires: [pki-fedora/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{pki-fedora/build_url}'
update_packages: True
copr: '@pki/master'
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN
template: *ci-master-latest
timeout: 10800
topology: *master_3repl_1client
pki-fedora/test_random_serial_numbers_test_commands_RSN:
requires: [pki-fedora/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{pki-fedora/build_url}'
update_packages: True
copr: '@pki/master'
test_suite: test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_certificate_out_write_to_file
template: *ci-master-latest
timeout: 5400
topology: *master_1repl_1client
pki-fedora/test_caless_TestServerCALessToExternalCA_RSN:
requires: [pki-fedora/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{pki-fedora/build_url}'
update_packages: True
copr: '@pki/master'
test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
template: *ci-master-latest
timeout: 5400
topology: *master_1repl

52
ipatests/prci_definitions/nightly_latest_selinux.yaml
View File

@ -1914,3 +1914,55 @@ jobs:
template: *ci-master-latest
timeout: 5000
topology: *master_1repl
fedora-latest/test_random_serial_numbers_TestInstallWithCA_DNS1_RSN:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
selinux_enforcing: True
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN
template: *ci-master-latest
timeout: 10800
topology: *master_3repl_1client
fedora-latest/test_random_serial_numbers_TestInstallWithCA_KRA1_RSN:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
selinux_enforcing: True
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN
template: *ci-master-latest
timeout: 10800
topology: *master_3repl_1client
fedora-latest/test_random_serial_numbers_test_commands_RSN:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
selinux_enforcing: True
test_suite: test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_certificate_out_write_to_file
template: *ci-master-latest
timeout: 5400
topology: *master_1repl_1client
fedora-latest/test_caless_TestServerCALessToExternalCA_RSN:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
selinux_enforcing: True
test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
template: *ci-master-latest
timeout: 5400
topology: *master_1repl

56
ipatests/prci_definitions/nightly_latest_testing.yaml
View File

@ -2056,3 +2056,59 @@ jobs:
template: *ci-master-latest
timeout: 5000
topology: *master_1repl
testing-fedora/test_random_serial_numbers_TestInstallWithCA_DNS1_RSN:
requires: [testing-fedora/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{testing-fedora/build_url}'
update_packages: True
enable_testing_repo: True
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN
template: *ci-master-latest
timeout: 10800
topology: *master_3repl_1client
testing-fedora/test_random_serial_numbers_TestInstallWithCA_KRA1_RSN:
requires: [testing-fedora/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{testing-fedora/build_url}'
update_packages: True
enable_testing_repo: True
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN
template: *ci-master-latest
timeout: 10800
topology: *master_3repl_1client
testing-fedora/test_random_serial_numbers_test_commands_RSN:
requires: [testing-fedora/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{testing-fedora/build_url}'
update_packages: True
enable_testing_repo: True
test_suite: test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_certificate_out_write_to_file
template: *ci-master-latest
timeout: 5400
topology: *master_1repl_1client
testing-fedora/test_caless_TestServerCALessToExternalCA_RSN:
requires: [testing-fedora/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{testing-fedora/build_url}'
update_packages: True
enable_testing_repo: True
test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
template: *ci-master-latest
timeout: 5400
topology: *master_1repl

60
ipatests/prci_definitions/nightly_latest_testing_selinux.yaml
View File

@ -2197,3 +2197,63 @@ jobs:
template: *ci-master-latest
timeout: 5000
topology: *master_1repl
testing-fedora/test_random_serial_numbers_TestInstallWithCA_DNS1_RSN:
requires: [testing-fedora/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{testing-fedora/build_url}'
update_packages: True
selinux_enforcing: True
enable_testing_repo: True
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN
template: *ci-master-latest
timeout: 10800
topology: *master_3repl_1client
testing-fedora/test_random_serial_numbers_TestInstallWithCA_KRA1_RSN:
requires: [testing-fedora/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{testing-fedora/build_url}'
update_packages: True
selinux_enforcing: True
enable_testing_repo: True
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN
template: *ci-master-latest
timeout: 10800
topology: *master_3repl_1client
testing-fedora/test_random_serial_numbers_test_commands_RSN:
requires: [testing-fedora/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{testing-fedora/build_url}'
update_packages: True
selinux_enforcing: True
enable_testing_repo: True
test_suite: test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_certificate_out_write_to_file
template: *ci-master-latest
timeout: 5400
topology: *master_1repl_1client
testing-fedora/test_caless_TestServerCALessToExternalCA_RSN:
requires: [testing-fedora/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{testing-fedora/build_url}'
update_packages: True
selinux_enforcing: True
enable_testing_repo: True
test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
template: *ci-master-latest
timeout: 5400
topology: *master_1repl

48
ipatests/prci_definitions/nightly_previous.yaml
View File

@ -1773,3 +1773,51 @@ jobs:
template: *ci-master-previous
timeout: 5000
topology: *master_1repl
fedora-previous/test_random_serial_numbers_TestInstallWithCA_DNS1_RSN:
requires: [fedora-previous/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-previous/build_url}'
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN
template: *ci-master-previous
timeout: 10800
topology: *master_3repl_1client
fedora-previous/test_random_serial_numbers_TestInstallWithCA_KRA1_RSN:
requires: [fedora-previous/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-previous/build_url}'
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN
template: *ci-master-previous
timeout: 10800
topology: *master_3repl_1client
fedora-previous/test_random_serial_numbers_test_commands_RSN:
requires: [fedora-previous/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-previous/build_url}'
test_suite: test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_certificate_out_write_to_file
template: *ci-master-previous
timeout: 5400
topology: *master_1repl_1client
fedora-previous/test_caless_TestServerCALessToExternalCA_RSN:
requires: [fedora-previous/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-previous/build_url}'
test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
template: *ci-master-previous
timeout: 5400
topology: *master_1repl

52
ipatests/prci_definitions/nightly_rawhide.yaml
View File

@ -1914,3 +1914,55 @@ jobs:
template: *ci-master-frawhide
timeout: 5000
topology: *master_1repl
fedora-rawhide/test_random_serial_numbers_TestInstallWithCA_DNS1_RSN:
requires: [fedora-rawhide/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-rawhide/build_url}'
update_packages: True
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN
template: *ci-master-frawhide
timeout: 10800
topology: *master_3repl_1client
fedora-rawhide/test_random_serial_numbers_TestInstallWithCA_KRA1_RSN:
requires: [fedora-rawhide/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-rawhide/build_url}'
update_packages: True
test_suite: test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN
template: *ci-master-frawhide
timeout: 10800
topology: *master_3repl_1client
fedora-rawhide/test_random_serial_numbers_test_commands_RSN:
requires: [fedora-rawhide/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-rawhide/build_url}'
update_packages: True
test_suite: test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_certificate_out_write_to_file
template: *ci-master-frawhide
timeout: 5400
topology: *master_1repl_1client
fedora-rawhide/test_caless_TestServerCALessToExternalCA_RSN:
requires: [fedora-rawhide/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-rawhide/build_url}'
update_packages: True
test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
template: *ci-master-frawhide
timeout: 5400
topology: *master_1repl

18
ipatests/pytest_ipa/integration/tasks.py
View File

@ -324,7 +324,8 @@ def set_default_ttl_for_ipa_dns_zone(host, raiseonerr=True):
def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
extra_args=(), domain_level=None, unattended=True,
external_ca=False, stdin_text=None, raiseonerr=True):
external_ca=False, stdin_text=None, raiseonerr=True,
random_serial=False):
if domain_level is None:
domain_level = host.config.domain_level
check_domain_level(domain_level)
@ -345,6 +346,10 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
'-a', host.config.admin_password,
"--domain-level=%i" % domain_level,
]
if random_serial:
args.append('--random-serial-numbers')
if ipatests_dse:
args.extend(["--dirsrv-config-file", ipatests_dse])
@ -1412,7 +1417,8 @@ def double_circle_topo(master, replicas, site_size=6):
def install_topo(topo, master, replicas, clients, domain_level=None,
skip_master=False, setup_replica_cas=True,
setup_replica_kras=False, clients_extra_args=()):
setup_replica_kras=False, clients_extra_args=(),
random_serial=False):
"""Install IPA servers and clients in the given topology"""
if setup_replica_kras and not setup_replica_cas:
raise ValueError("Option 'setup_replica_kras' requires "
@ -1423,7 +1429,8 @@ def install_topo(topo, master, replicas, clients, domain_level=None,
install_master(
master,
domain_level=domain_level,
setup_kra=setup_replica_kras
setup_kra=setup_replica_kras,
random_serial=random_serial,
)
add_a_records_for_hosts_in_master_domain(master)
@ -1675,13 +1682,16 @@ def install_kra(host, domain_level=None,
def install_ca(
host, domain_level=None, first_instance=False, external_ca=False,
cert_files=None, raiseonerr=True, extra_args=()
cert_files=None, raiseonerr=True, extra_args=(),
random_serial=False,
):
if domain_level is None:
domain_level = domainlevel(host)
check_domain_level(domain_level)
command = ["ipa-ca-install", "-U", "-p", host.config.dirman_password,
"-P", 'admin', "-w", host.config.admin_password]
if random_serial:
command.append('--random-serial-numbers')
if not isinstance(extra_args, (tuple, list)):
raise TypeError("extra_args must be tuple or list")
command.extend(extra_args)

4
ipatests/test_integration/base.py
View File

@ -39,6 +39,7 @@ class IntegrationTest:
topology = None
domain_level = None
fips_mode = None
random_serial = False
@classmethod
def host_by_role(cls, role):
@ -87,7 +88,8 @@ class IntegrationTest:
else:
tasks.install_topo(cls.topology,
cls.master, cls.replicas,
cls.clients, domain_level)
cls.clients, domain_level,
random_serial=cls.random_serial)
@classmethod
def uninstall(cls, mh):
for replica in cls.replicas:

8
ipatests/test_integration/test_commands.py
View File

@ -719,9 +719,13 @@ class TestIPACommand(IntegrationTest):
def test_certificate_out_write_to_file(self):
# commands to test; name of temporary file will be appended
result = self.master.run_command([
'openssl', 'x509', '-serial', '-noout', '-in', paths.IPA_CA_CRT
])
serial = result.stdout_text.strip().split('=', maxsplit=1)[1]
commands = [
['ipa', 'cert-show', '1', '--certificate-out'],
['ipa', 'cert-show', '1', '--chain', '--certificate-out'],
['ipa', 'cert-show', serial, '--certificate-out'],
['ipa', 'cert-show', serial, '--chain', '--certificate-out'],
['ipa', 'ca-show', 'ipa', '--certificate-out'],
['ipa', 'ca-show', 'ipa', '--chain', '--certificate-out'],
]

6
ipatests/test_integration/test_installation.py
View File

@ -516,7 +516,8 @@ class TestInstallWithCA_KRA1(InstallTestBase1):
@classmethod
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=cls.master_with_dns,
setup_kra=True)
setup_kra=True,
random_serial=cls.random_serial)
def test_replica0_ipa_kra_install(self):
tasks.install_kra(self.replicas[0], first_instance=False)
@ -536,7 +537,8 @@ class TestInstallWithCA_DNS1(InstallTestBase1):
@classmethod
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=cls.master_with_dns)
tasks.install_master(cls.master, setup_dns=cls.master_with_dns,
random_serial=cls.random_serial)
@pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0,
reason='does not work on DOMAIN_LEVEL_0 by design')

9
ipatests/test_integration/test_ipahealthcheck.py
View File

@ -2791,6 +2791,11 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest):
error_reason = (
"RA agent description does not match"
)
ldap = self.master.ldap_connect()
dn = DN(("uid", "ipara"), ("ou", "People"), ("o", "ipaca"))
entry = ldap.get_entry(dn)
ldap_cert_desc = entry.single_value.get("description")
update_ra_cert_desc(
'2;16;CN=Certificate Authority,O=%s;CN=IPA RA,O=%s' %
(self.master.domain.realm, self.master.domain.realm)
@ -2804,9 +2809,7 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest):
for check in data:
assert check["result"] == "ERROR"
assert (
check["kw"]["expected"] == "2;6;"
"CN=Certificate Authority,O=%s;CN=IPA RA,"
"O=%s" % (self.master.domain.realm, self.master.domain.realm)
check["kw"]["expected"] == ldap_cert_desc
)
assert (
check["kw"]["got"] == "2;16;"

66
ipatests/test_integration/test_random_serial_numbers.py Normal file
View File

@ -0,0 +1,66 @@
#
# Copyright (C) 2022 FreeIPA Contributors see COPYING for license
#
import pytest
from ipatests.test_integration.test_installation import (
TestInstallWithCA_DNS1,
TestInstallWithCA_KRA1,
)
from ipatests.test_integration.test_caless import TestServerCALessToExternalCA
from ipatests.test_integration.test_commands import TestIPACommand
def pki_supports_RSNv3(host):
"""
Return whether the host supports RNSv3 based on the pki version
"""
script = ("from ipaserver.install.ca import "
"random_serial_numbers_version; "
"print(random_serial_numbers_version(True))")
result = host.run_command(['python3', '-c', script])
if 'true' in result.stdout_text.strip().lower():
return True
return False
class TestInstallWithCA_DNS1_RSN(TestInstallWithCA_DNS1):
random_serial = True
@classmethod
def install(cls, mh):
if not pki_supports_RSNv3(mh.master):
raise pytest.skip("RNSv3 not supported")
super(TestInstallWithCA_DNS1_RSN, cls).install(mh)
class TestInstallWithCA_KRA1_RSN(TestInstallWithCA_KRA1):
random_serial = True
@classmethod
def install(cls, mh):
if not pki_supports_RSNv3(mh.master):
raise pytest.skip("RNSv3 not supported")
super(TestInstallWithCA_KRA1_RSN, cls).install(mh)
class TestIPACommand_RSN(TestIPACommand):
random_serial = True
@classmethod
def install(cls, mh):
if not pki_supports_RSNv3(mh.master):
raise pytest.skip("RNSv3 not supported")
super(TestIPACommand_RSN, cls).install(mh)
class TestServerCALessToExternalCA_RSN(TestServerCALessToExternalCA):
random_serial = True
@classmethod
def install(cls, mh):
if not pki_supports_RSNv3(mh.master):
raise pytest.skip("RNSv3 not supported")
super(TestServerCALessToExternalCA_RSN, cls).install(mh)

5
ipatests/test_xmlrpc/tracker/ca_plugin.py
View File

@ -26,7 +26,8 @@ class CATracker(Tracker, EnableTracker):
"""Implementation of a Tracker class for CA plugin."""
ldap_keys = {
'dn', 'cn', 'ipacaid', 'ipacasubjectdn', 'ipacaissuerdn', 'description'
'dn', 'cn', 'ipacaid', 'ipacasubjectdn', 'ipacaissuerdn',
'description', 'ipacarandomserialnumberversion',
}
cert_keys = {
'certificate',
@ -81,6 +82,8 @@ class CATracker(Tracker, EnableTracker):
certificate_chain=fuzzy_sequence_of(fuzzy_bytes),
objectclass=objectclasses.ca
)
if self.description == 'IPA CA':
self.attrs['ipacarandomserialnumberversion'] = ('0',)
self.exists = True
def make_disable_command(self):