Commit Graph

16 Commits

Author SHA1 Message Date
Rob Crittenden
70306515f7 ipatests: Clean up existing ACME registration and certs
The same base class is used for ACME setup and configuration.
Be sure to clean up any existing registraton prior to continuing
otherwise ACME register will complain.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
89fddb0750 ipatests: Configure a replica in TestACMEwithExternalCA
This subclasses TestACME which installs and configures a
replica in order to verify global enable/disable of ACME.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
790b765598 ipatests: call the CALess install method to generate the CA
https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Mohammad Rizwan
c4a6b0e566 Move acme client installation part to classmethod
Moved the acme client installation part to classmethod
so that it can be leveraged further.

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-12 15:14:12 -05:00
Mohammad Rizwan
cbbfcd9b1e PEP8 fixes for test_acme.py
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-12 15:14:12 -05:00
Mohammad Rizwan
9dccf17a6c External-CA scenarios for ACME service
Inherited the TestACME class by overriding install()
to install the ipa master with external CA. It will
setup the External-CA and will call all the test
method from TestACME class.

related: https://pagure.io/freeipa/issue/4751

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-12 15:14:12 -05:00
Florence Blanc-Renaud
3d2a4f25f7 ipatests: ipa-acme-manage status returns 3 on a CA-less server
test_acme.py::TestACMECALess::test_enable_caless_to_cafull_replica is
running ipa-acme-manage status on a CA-less server and wrongly
expects retcode =1. According to the man page, the command returns 3
when executed on a server where the CA is not installed.

Fixes: https://pagure.io/freeipa/issue/8572
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-09 16:06:40 -05:00
Rob Crittenden
c8f13cd855 ipatests: Add tests for requiring ipa-ca SAN when ACME is enabled
Test that:

1. With ACME enabled, SAN is required
2. With ACME disabled, SAN is not required

Also verify the ipa-acme-manage status command.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 14:01:05 -05:00
Rob Crittenden
e0ff82c884 Change the return codes of ipa-acme-manage
Traditionally in IPA 0 = success, 1 = error and then
specific error messages follow from that. Shift the
ipa-acme-manage return codes for "not installed" and
"not a CA" up by one.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 14:01:05 -05:00
Mohammad Rizwan
e7fd791579 ipatests: Check if ACME is enabled on all CA servers
Test if ACME service is enabled on replica if eabled on
server. This is to check the centralize enable/disable
from single host.

ipatests: Test if ACME is enabled on replica when converted from CA-less to CA-full

Deployment where one server is deployed as CA-less and acme is enabled, when converted
to CA full, should have ACME enabled by default.

ipatests: Test ACME with CA-less replica when converted to CA-full

Deployment have one ca-less replica and ACME is not enabled.
After converting ca-less replica to ca-full, ACME can be
enabled or disabled.

related:
https://pagure.io/freeipa/issue/8524

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Rob Crittenden
92c3ea4e29 Don't install ACME if full support is not available
The initial ACME support required that each server individually
enable/disable the service. PKI 10.10.0 stores this state in LDAP
so global enable/disable is available and the IPA code relies on
this.

Parse the VERSION file shipped with PKI to determine the version.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Fraser Tweedale
525b946b75 acme: enable mod_md tests on Fedora
The Fedora mod_md package has received the required fixes
(see https://bugzilla.redhat.com/show_bug.cgi?id=1832841).
We can now enable the mod_md tests on Fedora.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-10 08:33:22 -04:00
Fraser Tweedale
678b8e682b acme: add certbot dns-01 test
Add a test for the dns-01 challenge using Certbot.  This test uses
the new hook scripts distributed in the freeipa-client package.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-10 08:33:22 -04:00
Fraser Tweedale
e976dde8e1 acme: add revocation test
Add an integration test that tests revocation via Certbot.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-10 08:33:22 -04:00
Fraser Tweedale
85d0272053 acme: add mod_md integration test
Add a test that configures a client to use mod_md Apache httpd
module to acquire a certificate from FreeIPA ACME service.  This
test is currently skipped on Fedora because the package needs a fix
(see https://bugzilla.redhat.com/show_bug.cgi?id=1832841).

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-10 08:33:22 -04:00
Fraser Tweedale
7b00035764 acme: add integration test
Add a preliminary integration test for the FreeIPA ACME service.  It
only tests Certbot and the http-01 challenge.  Testing of DNS
challenge could come later.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-10 08:33:22 -04:00