IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-26 08:06:30 -06:00
Code Issues Packages Projects Releases Wiki Activity

acme: add revocation test

Browse Source 
Add an integration test that tests revocation via Certbot.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Fraser Tweedale 2020-06-25 14:51:32 +10:00 committed by Rob Crittenden
parent f9f3b3b118
commit e976dde8e1
1 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
ipatests/test_integration/test_acme.py
View File

@ -4,6 +4,8 @@
import time import time
from cryptography.hazmat.backends import default_backend
from cryptography import x509
import pytest import pytest
from ipalib.constants import IPA_CA_RECORD from ipalib.constants import IPA_CA_RECORD
@ -30,6 +32,7 @@ class TestACME(IntegrationTest):
* service enable/disable (using Curl) * service enable/disable (using Curl)
* http-01 challenge with Certbot's standalone HTTP server * http-01 challenge with Certbot's standalone HTTP server
* revocation with Certbot
* http-01 challenge with mod_md * http-01 challenge with mod_md
Tests we should add: Tests we should add:
@ -39,7 +42,6 @@ class TestACME(IntegrationTest):
/blog-redhat/posts/2020-05-13-ipa-acme-dns.html for details.) /blog-redhat/posts/2020-05-13-ipa-acme-dns.html for details.)
* dns-01 challenge with mod_md (see * dns-01 challenge with mod_md (see
https://httpd.apache.org/docs/current/mod/mod_md.html#mdchallengedns01) https://httpd.apache.org/docs/current/mod/mod_md.html#mdchallengedns01)
* revocation
Things that are not implmented/supported yet, but may be in future: Things that are not implmented/supported yet, but may be in future:
@ -70,6 +72,16 @@ class TestACME(IntegrationTest):
cls.master, cls.clients[0] cls.master, cls.clients[0]
) )
#######
# kinit
#######
def test_kinit_master(self):
# Some tests require executing ipa commands, e.g. to
# check revocation status or add/remove DNS entries.
# Preemptively kinit as admin on the master.
tasks.kinit_admin(self.master)
##################### #####################
# Enable ACME service # Enable ACME service
##################### #####################
@ -131,6 +143,32 @@ class TestACME(IntegrationTest):
], ],
) )
@pytest.mark.skipif(skip_certbot_tests, reason='certbot not available')
def test_certbot_revoke(self):
# Assume previous certonly operation succeeded.
# Read certificate to learn serial number.
cert_path = \
f'/etc/letsencrypt/live/{self.clients[0].hostname}/cert.pem'
data = self.clients[0].get_file_contents(cert_path)
cert = x509.load_pem_x509_certificate(data, backend=default_backend())
# revoke cert via ACME
self.clients[0].run_command(
[
'certbot',
'--server', self.acme_server,
'revoke',
'--cert-name', self.clients[0].hostname,
'--delete-after-revoke',
],
)
# check cert is revoked (kinit already performed)
result = self.master.run_command(
['ipa', 'cert-show', str(cert.serial_number), '--raw']
)
assert 'revocation_reason:' in result.stdout_text
############## ##############
# mod_md tests # mod_md tests
############## ##############