From fe21094c8eca948673c6ff0aac337ee3151d4be1 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Date: Wed, 22 Jan 2020 16:02:12 +0530
Subject: [PATCH] Test if certmonger reads the token in HSM

This is to ensure added HSM support for FreeIPA. This test adds
certificate with sofhsm token and checks if certmonger is tracking
it.

related : https://pagure.io/certmonger/issue/125

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 .../test_integration/test_installation.py     | 91 +++++++++++++++++++
 1 file changed, 91 insertions(+)

diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 9084d0e7f..d8eb24369 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -25,6 +25,7 @@ from ipaplatform.osinfo import osinfo
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks as platformtasks
 from ipapython import ipautil
+from ipalib.install.certmonger import wait_for_request
 from ipatests.pytest_ipa.integration import tasks
 from ipatests.pytest_ipa.integration.env_config import get_global_config
 from ipatests.test_integration.base import IntegrationTest
@@ -254,6 +255,96 @@ class TestInstallCA(IntegrationTest):
         tasks.install_replica(self.master, self.replicas[1], setup_ca=False)
         tasks.install_ca(self.replicas[1], extra_args=["--skip-schema-check"])
 
+    def test_certmonger_reads_token_HSM(self):
+        """Test if certmonger reads the token in HSM
+
+        This is to ensure added HSM support for FreeIPA. This test adds
+        certificate with sofhsm token and checks if certmonger is tracking
+        it.
+
+        related : https://pagure.io/certmonger/issue/125
+        """
+        test_service = 'test/%s' % self.master.hostname
+        pkcs_passwd = 'Secret123'
+        pin = '123456'
+        noisefile = '/tmp/noisefile'
+        self.master.put_file_contents(noisefile, os.urandom(64))
+
+        tasks.kinit_admin(self.master)
+        tasks.install_dns(self.master)
+        self.master.run_command(['ipa', 'service-add', test_service])
+
+        # create a csr
+        cmd_args = ['certutil', '-d', paths.NSS_DB_DIR, '-R', '-a',
+                    '-o', '/root/ipa.csr',
+                    '-s', "CN=%s" % self.master.hostname,
+                    '-z', noisefile]
+        self.master.run_command(cmd_args)
+
+        # request certificate
+        cmd_args = ['ipa', 'cert-request', '--principal', test_service,
+                    '--certificate-out', '/root/test.pem', '/root/ipa.csr']
+        self.master.run_command(cmd_args)
+
+        # adding trust flag
+        cmd_args = ['certutil', '-A', '-d', paths.NSS_DB_DIR, '-n',
+                    'test', '-a', '-i', '/root/test.pem', '-t', 'u,u,u']
+        self.master.run_command(cmd_args)
+
+        # export pkcs12 file
+        cmd_args = ['pk12util', '-o', '/root/test.p12',
+                    '-d', paths.NSS_DB_DIR, '-n', 'test', '-W', pkcs_passwd]
+        self.master.run_command(cmd_args)
+
+        # add softhsm lib
+        cmd_args = ['modutil', '-dbdir', paths.NSS_DB_DIR, '-add',
+                    'softhsm', '-libfile', '/usr/lib64/softhsm/libsofthsm.so']
+        self.master.run_command(cmd_args, stdin_text="\n\n")
+
+        # create a token
+        cmd_args = ['softhsm2-util', '--init-token', '--label', 'test',
+                    '--pin', pin, '--so-pin', pin, '--free']
+        self.master.run_command(cmd_args)
+
+        self.master.run_command(['softhsm2-util', '--show-slots'])
+
+        cmd_args = ['certutil', '-F', '-d', paths.NSS_DB_DIR, '-n', 'test']
+        self.master.run_command(cmd_args)
+
+        cmd_args = ['pk12util', '-i', '/root/test.p12',
+                    '-d', paths.NSS_DB_DIR, '-h', 'test',
+                    '-W', pkcs_passwd, '-K', pin]
+        self.master.run_command(cmd_args)
+
+        cmd_args = ['certutil', '-A', '-d', paths.NSS_DB_DIR, '-n', 'IPA CA',
+                    '-t', 'CT,,', '-a', '-i', paths.IPA_CA_CRT]
+        self.master.run_command(cmd_args)
+
+        # validate the certificate
+        self.master.put_file_contents('/root/pinfile', pin)
+        cmd_args = ['certutil', '-V', '-u', 'V', '-e', '-d', paths.NSS_DB_DIR,
+                    '-h', 'test', '-n', 'test:test', '-f', '/root/pinfile']
+        result = self.master.run_command(cmd_args)
+        assert 'certificate is valid' in result.stdout_text
+
+        # add certificate tracking to certmonger
+        cmd_args = ['ipa-getcert', 'start-tracking', '-d', paths.NSS_DB_DIR,
+                    '-n', 'test', '-t', 'test', '-P', pin,
+                    '-K', test_service]
+        result = self.master.run_command(cmd_args)
+        request_id = re.findall(r'\d+', result.stdout_text)
+
+        # check if certificate is tracked by certmonger
+        status = wait_for_request(request_id[0], 300)
+        assert status == "MONITORING"
+
+        # ensure if key and token are re-usable
+        cmd_args = ['getcert', 'resubmit', '-i', request_id[0]]
+        self.master.run_command(cmd_args)
+
+        status = wait_for_request(request_id[0], 300)
+        assert status == "MONITORING"
+
 
 class TestInstallWithCA_KRA1(InstallTestBase1):