ipatests: Test Sub CA with CAACL and certificate profile

Test the Sub CA feature by signing a CSR with custom certificate profile. The test also covers 'cert-request' fallback behaviour for missing 'cacn' and 'profile-id' options by reusing the fixtures from the module. https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-06-21 15:57:58 +02:00 · 2016-06-21 15:57:58 +02:00 · d88a12f1f5
commit d88a12f1f5
parent 5b37aaad77
1 changed files with 110 additions and 0 deletions
--- a/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py
+++ b/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py
@ -15,6 +15,7 @@ from ipatests.util import (
 from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
 from ipatests.test_xmlrpc.tracker.certprofile_plugin import CertprofileTracker
 from ipatests.test_xmlrpc.tracker.caacl_plugin import CAACLTracker
+from ipatests.test_xmlrpc.tracker.ca_plugin import CATracker

 from ipapython.ipautil import run

@ -250,3 +251,112 @@ class TestSignWithChangedProfile(XMLRPC_test):
            with pytest.raises(errors.CertificateOperationError):
                api.Command.cert_request(csr, principal=smime_user,
                                         profile_id=smime_profile.name)
+
+
+@pytest.fixture(scope='class')
+def smime_signing_ca(request):
+    name = u'smime-signing-ca'
+    subject = u'CN=SMIME CA,O=test industries Inc.'
+    return CATracker(name, subject).make_fixture(request)
+
+
+@pytest.mark.tier1
+class TestCertSignMIMEwithSubCA(XMLRPC_test):
+    """ Test Certificate Signing with Sub CA
+
+    The test covers following areas:
+
+     * signing a CSR with custom certificate profile
+       using a designated Sub CA
+     * Verify that the Issuer of the signed certificate
+       is the reqested CA
+     * Verify that when not set, cert-request uses the default CA.
+       This it verified by violating an ACL
+     * Verify that when not set, cert-request uses the default
+       certificate profile.
+
+    The latter two test cases are implemented in this module
+    as not to replicate the fixtures to cert plugin test module.
+    """
+
+    def test_cert_import(self, smime_profile):
+        smime_profile.ensure_exists()
+
+    def test_create_acl(self, smime_acl):
+        smime_acl.ensure_exists()
+
+    def test_create_subca(self, smime_signing_ca):
+        smime_signing_ca.ensure_exists()
+
+    def test_add_profile_to_acl(self, smime_acl, smime_profile):
+        smime_acl.add_profile(certprofile=smime_profile.name)
+
+    def test_add_subca_to_acl(self, smime_acl, smime_signing_ca):
+        smime_acl.add_ca(smime_signing_ca.name)
+
+    # rewrite to trackers, prepare elsewhere
+    def test_add_user_to_group(self, smime_group, smime_user):
+        api.Command.group_add_member(smime_group, user=smime_user)
+
+    def test_add_group_to_acl(self, smime_group, smime_acl):
+        smime_acl.add_user(group=smime_group)
+
+    def test_sign_smime_csr(self, smime_profile, smime_user, smime_signing_ca):
+        csr = generate_user_csr(smime_user)
+        with change_principal(smime_user, SMIME_USER_PW):
+            api.Command.cert_request(csr, principal=smime_user,
+                                     profile_id=smime_profile.name,
+                                     cacn=smime_signing_ca.name)
+
+    def test_sign_smime_csr_full_principal(
+            self, smime_profile, smime_user, smime_signing_ca):
+        csr = generate_user_csr(smime_user)
+        smime_user_principal = '@'.join((smime_user, api.env.realm))
+        with change_principal(smime_user, SMIME_USER_PW):
+            api.Command.cert_request(csr, principal=smime_user_principal,
+                                     profile_id=smime_profile.name,
+                                     cacn=smime_signing_ca.name)
+
+    def test_verify_cert_issuer_dn_is_subca(
+            self, smime_profile, smime_user, smime_signing_ca):
+        csr = generate_user_csr(smime_user)
+        smime_user_principal = '@'.join((smime_user, api.env.realm))
+        with change_principal(smime_user, SMIME_USER_PW):
+            cert_info = api.Command.cert_request(
+                csr, principal=smime_user_principal,
+                profile_id=smime_profile.name, cacn=smime_signing_ca.name)
+
+        assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn
+
+    def test_sign_smime_csr_fallback_to_default_CA(
+            self, smime_profile, smime_user, smime_signing_ca):
+        """ Attempt to sign a CSR without CA specified.
+
+        The request will satisfy SMIME_ACL via the profile ID,
+        however not specifying the CA will fallback to the IPA CA
+        for which SMIME profile isn't enabled, thus violating ACL.
+        """
+        csr = generate_user_csr(smime_user)
+        smime_user_principal = '@'.join((smime_user, api.env.realm))
+
+        with pytest.raises(errors.ACIError):
+            with change_principal(smime_user, SMIME_USER_PW):
+                api.Command.cert_request(csr, principal=smime_user_principal,
+                                         profile_id=smime_profile.name)
+
+    def test_sign_smime_csr_fallback_to_default_cert_profile(
+            self, smime_profile, smime_user, smime_signing_ca):
+        """ Attempt to sign a CSR without certificate profile specified.
+
+        Similar to previous test case.
+        By specifying only the CA to use, profile will fallback to
+        the default caIPAserviceCert profile which is not enabled
+        via ACL to be used with the CA, thus failing the request.
+        """
+        csr = generate_user_csr(smime_user)
+        smime_user_principal = '@'.join((smime_user, api.env.realm))
+
+        with pytest.raises(errors.ACIError):
+            with change_principal(smime_user, SMIME_USER_PW):
+                api.Command.cert_request(csr, principal=smime_user_principal,
+                                         cacn=smime_signing_ca.name)