Commit Graph

24 Commits

Author SHA1 Message Date
Stanislav Levin
17f430efc4 EPN: Allow authentication by SMTP client's certificate
SMTP server may ask or require client's certificate for verification.
To support this the underlying Python's functionality is used [0].

Added 3 new options(corresponds to `load_cert_chain`):
- smtp_client_cert - the path to a single file in PEM format containing the
  certificate.
- smtp_client_key - the path to a file containing the private key in.
- smtp_client_key_pass - the password for decrypting the private key.

[0]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain

Fixes: https://pagure.io/freeipa/issue/8580
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
32aa1540f0 EPN: Enable certificate validation and hostname checking
https://pagure.io/freeipa/issue/8579
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
977063a56e test_epn: Standardize EPN configs for deduplication
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
94adee3c73 EPN: Don't downgrade security
If an administrator requests `smtp_security=starttls`, but SMTP
server disables STARTTLS, then EPN downgrade security to `none`,
which means plain text. Administrator doesn't expect such behavior.

Fixes: https://pagure.io/freeipa/issue/8578
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
be006ad6c4 ipatests: Respect platform's openssl dir
There are different build configurations of OpenSSL from one distro
to another. For example,

Debian: '--openssldir=/usr/lib/ssl',
Fedora: '--openssldir=/etc/pki/tls',
openSUSE: '--openssldir=/etc/ssl',
ALTLinux: '--openssldir=/var/lib/ssl'.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Rob Crittenden
af5138c2aa IPA-EPN: Test that EPN can be install, uninstalled and re-installed
Verify that no cruft is left over that will prevent reinstallation
if it is uninstalled.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-08-18 11:06:04 +02:00
François Cami
5452f020f9 ipatests: test_epn: update error messages
Update error messages in the test.

Fixes: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-08-12 09:02:08 -04:00
François Cami
97006786df IPA-EPN: enhance input validation
Enhance input validation:
* make sure --from-nbdays and --to-nbdays are integer
* make sure --from-nbdays < --to-nbdays

Fixes: https://pagure.io/freeipa/issue/8444
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-08-12 09:02:08 -04:00
François Cami
22cf65b09a IPA-EPN: Fix SMTP connection error handling
Enhance error message when SMTP is down.

Fixes: https://pagure.io/freeipa/issue/8445
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-08-10 09:02:59 -04:00
François Cami
6edf648d7b ipatests: test_epn: add test_EPN_connection_refused
Add a test for EPN behavior when the configured SMTP does not
accept connections.

Fixes: https://pagure.io/freeipa/issue/8445
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-08-10 09:02:59 -04:00
Rob Crittenden
a2bf5958ef IPA-EPN: Test that users without givenname and/or mail are handled
The admin user does not have a givenname by default, allow for that.

Report errors for users without a default e-mail address.

Update the SHA256 hash with the typo fix.

Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-07 17:14:24 -04:00
François Cami
41333b631d ipatests: test_epn: test_EPN_nbdays enhancements
Enhance test_EPN_nbdays so that it checks:
* that no emails get sent when using --dry-run
* that --from-nbdays implies --dry-run
* that --to-nbdays requires --from-nbdays
* illegal inputs for nbdays:
** from-nbdays > to-nbdays
** non-numerical input
** decimal input

Fixes: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-08-07 12:50:25 +02:00
Michal Polovka
147b808ffb
ipatests: test_epn: test_EPN_config_file: Package name fix
Fix package name to respect different conventions in particular streams.

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-07-15 14:47:12 +02:00
Michal Polovka
3c18f94b29 ipatests: test_epn: Fix package installation
EPN functionality is provided as separate package
freeipa-client-epn, but it is not installed during setup. This resolves
this behaviour.

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-14 13:04:32 -04:00
François Cami
630c408f9e ipatests: remove dnf workaround from test_epn.py
73c02f635 introduced a workaround to make sure the latest version
of (free)ipa-client-epn was installed.
Since cc624fb17 this should not be needed anymore.

Fixes: https://pagure.io/freeipa/issue/8391
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-07-03 15:33:49 +02:00
François Cami
73c02f635d ipatests: ipa_epn: uninstall/reinstall ipa-client-epn
Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
the installed version of freeipa-client-epn is not the built
one. Temporarily force uninstall/reinstall of this package
before running the test.

Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-25 15:20:21 +02:00
François Cami
0d4f022b3b ipatests: check that EPN's configuration file is installed.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-25 15:20:21 +02:00
Rob Crittenden
ba7974bfd1 IPA-EPN: Don't treat givenname differently
This was returning givenname as a list and not as a single
string which messed up the templating.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
cb205cc5e4 IPA-EPN: add test to validate smtp_delay value
Configuration test to ensure that smtp_delay validation is
properly enforced.

Also reset the epn configuration when the tests are run.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
759ab3120e IPA-EPN: Add tests for --mail-test option
Test sending a default template email to the smtp_admin user.

Test that --mail-test and --dry-run cannot be used together.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
41e3d58a0b IPA-EPN: test using SSL against port 465
Enable the postfix SSL listener on port 465. The certifiates
and other configuration is already in place.

Test that sending mail is successful.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
7e621cf84f IPA-EPN: Add test for starttls mode
Get a certificate for postfix and configure it to allow starttls
connections.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
1760ad48ae IPA-EPN: Add tests for sending real mail with auth and templates
Send e-mail using postfix on localhost and read the contents to
verify that the mail was delivered and that the template was
applied correctly.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
François Cami
3805eff417 IPA-EPN: Test suite.
Initial test suite for EPN.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-09 08:43:45 +02:00