test_integration: add tests for custom CA subject DN

Define integration test for custom CA subject DN and subject base
scenarios.  Add to nightly CI runs.

Part of: https://pagure.io/freeipa/issue/8084

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

ipatests/prci_definitions/nightly_f29.yaml

@@ -1336,3 +1336,15 @@ jobs:
         template: *ci-master-f29
         timeout: 3600
         topology: *ad_master
+
+  fedora-29/test_ca_custom_sdn:
+    requires: [fedora-29/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-29/build_url}'
+        test_suite: test_integration/test_ca_custom_sdn.py
+        template: *ci-master-f29
+        timeout: 7200
+        topology: *master_1repl

ipatests/prci_definitions/nightly_master.yaml

@@ -1348,3 +1348,15 @@ jobs:
         template: *ci-master-f30
         timeout: 3600
         topology: *ad_master
+
+  fedora-30/test_ca_custom_sdn:
+    requires: [fedora-30/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-30/build_url}'
+        test_suite: test_integration/test_ca_custom_sdn.py
+        template: *ci-master-f30
+        timeout: 7200
+        topology: *master_1repl

ipatests/prci_definitions/nightly_master_pki.yaml

@@ -782,3 +782,16 @@ jobs:
         template: *pki-master-f30
         timeout: 3600
         topology: *master_1repl
+
+  fedora-30/test_ca_custom_sdn:
+    requires: [fedora-30/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-30/build_url}'
+        update_packages: True
+        test_suite: test_integration/test_ca_custom_sdn.py
+        template: *pki-master-f30
+        timeout: 7200
+        topology: *master_1repl

ipatests/prci_definitions/nightly_master_testing.yaml

@@ -1454,3 +1454,16 @@ jobs:
         template: *testing-master-f30
         timeout: 3600
         topology: *ad_master
+
+  fedora-30/test_ca_custom_sdn:
+    requires: [fedora-30/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-30/build_url}'
+        update_packages: True
+        test_suite: test_integration/test_ca_custom_sdn.py
+        template: *testing-master-f30
+        timeout: 7200
+        topology: *master_1repl

ipatests/prci_definitions/nightly_rawhide.yaml

@@ -1348,3 +1348,15 @@ jobs:
         template: *ci-master-frawhide
         timeout: 3600
         topology: *ad_master
+
+  fedora-rawhide/test_ca_custom_sdn:
+    requires: [fedora-rawhide/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-rawhide/build_url}'
+        test_suite: test_integration/test_ca_custom_sdn.py
+        template: *ci-master-frawhide
+        timeout: 7200
+        topology: *master_1repl

ipatests/test_integration/test_ca_custom_sdn.py

@@ -0,0 +1,67 @@
+#
+# Copyright (C) 2019  FreeIPA Contributors see COPYING for license
+#
+
+import time
+
+from ipapython.dn import DN
+
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.pytest_ipa.integration import tasks
+
+
+class TestCACustomSubjectDN(IntegrationTest):
+    """
+    Test that everything works properly when IPA CA has a custom Subject DN.
+    We will also choose a custom Subject Base, that does not have anything
+    in common with the CA Subject DN.
+
+    Generating a random DN might be interest, but for now we construct one
+    that regression tests some previously encountered issues:
+
+    * Comma in RDN value: https://pagure.io/freeipa/issue/7347
+
+    * KRA authentication failed for all custom subject DNs:
+      https://pagure.io/freeipa/issue/8084
+
+    """
+
+    num_replicas = 0
+
+    @classmethod
+    def install(cls, mh):
+        """
+        Successful installation is sufficient to verify
+        https://pagure.io/freeipa/issue/7347.
+
+        """
+        tasks.install_master(
+            cls.master,
+            setup_kra=True,
+            extra_args=[
+                '--subject-base', str(create_custom_subject_base()),
+                '--ca-subject', str(create_custom_ca_subject()),
+            ],
+        )
+
+    def test_kra_authn(self):
+        """
+        vault-add is sufficient to verify
+        https://pagure.io/freeipa/issue/8084.
+
+        """
+        self.master.run_command([
+            'ipa', 'vault-add', "test1",
+            '--password', 'Secret.123', '--type', 'symmetric',
+        ])
+
+
+def create_custom_ca_subject():
+    return DN(
+        ('CN', 'IPA CA'),
+        ('O', 'Corporation {}, Inc.'.format(int(time.time()))),
+    )
+
+
+def create_custom_subject_base():
+    return DN(('O', 'Red Hat, Inc.'))