freeipa/ipatests/test_integration/test_external_ca.py
Florence Blanc-Renaud d61d1b059c Make test_external_ca.py compatible with crypto 41.0.0
The integration test test_external_ca.py is not compatible with
python-cryptography 41.0.0+.

The test is installing ipa server with an externally-signed CA cert
using a Microsoft Certificate Service profile:
ipa-server-install --external-ca --external-ca-type ms-cs
                    --external-ca-profile "1.2.3.4:10:200"
The command generates a CSR in /root/ipa.csr. The test reads the CSR,
extracts the extensions and compares with the requested extension
for the Microsoft Template.
With python-cryptography 41.0.0+, the extension can be decoded as
cryptography.x509.MSCertificateTemplate while with older version
the extension is decoded as cryptography.x509.UnrecognizedExtension.

Handle both cases properly.

Fixes: https://pagure.io/freeipa/issue/9490

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-12-11 09:49:47 +01:00

652 lines
24 KiB
Python

#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import absolute_import
import os
import re
import time
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
from ipalib import x509 as ipa_x509
from ipaplatform.paths import paths
from ipapython.dn import DN
from itertools import chain, repeat
from ipatests.create_external_ca import ExternalCA, ISSUER_CN
IPA_CA = 'ipa_ca.crt'
ROOT_CA = 'root_ca.crt'
# string to identify PKI restart in the journal
PKI_START_STR = 'Started pki_tomcatd'
def check_CA_flag(host, nssdb=paths.PKI_TOMCAT_ALIAS_DIR,
cn=ISSUER_CN):
"""
Check if external CA (by default 'example.test' in our test env) has
CA flag in nssdb.
"""
result = host.run_command(['certutil', '-L', '-d', nssdb])
text = result.stdout_text
# match CN in cert nickname and C flag in SSL section of NSS flags table
match_CA_flag = re.compile(r'.*{}.*\s+C'.format(cn))
match = re.search(match_CA_flag, text)
return match
def match_in_journal(host, string, since='today', services=('certmonger',)):
"""
Returns match object for the particular string.
"""
# prepend '-u' before every service name
service_args = list(chain.from_iterable(list(zip(repeat('-u'), services))))
command_args = ['journalctl', '--since={}'.format(since)] + service_args
result = host.run_command(command_args)
output = result.stdout_text
traceback = re.compile(string)
match = re.search(traceback, output)
return match
def install_server_external_ca_step1(host, extra_args=(), raiseonerr=True):
"""Step 1 to install the ipa server with external ca"""
return tasks.install_master(
host, external_ca=True, extra_args=extra_args, raiseonerr=raiseonerr,
)
def install_server_external_ca_step2(host, ipa_ca_cert, root_ca_cert,
raiseonerr=True):
"""Step 2 to install the ipa server with external ca"""
args = ['ipa-server-install', '-U', '-r', host.domain.realm,
'-a', host.config.admin_password,
'-p', host.config.dirman_password,
'--external-cert-file', ipa_ca_cert,
'--external-cert-file', root_ca_cert]
cmd = host.run_command(args, raiseonerr=raiseonerr)
return cmd
def service_control_dirsrv(host, function):
"""Function to control the dirsrv service i.e start, stop, restart etc"""
dashed_domain = host.domain.realm.replace(".", '-')
dirsrv_service = "dirsrv@%s.service" % dashed_domain
cmd = host.run_command(['systemctl', function, dirsrv_service])
assert cmd.returncode == 0
def check_ipaca_issuerDN(host, expected_dn):
result = host.run_command(['ipa', 'ca-show', 'ipa'])
assert "Issuer DN: {}".format(expected_dn) in result.stdout_text
def check_mscs_extension(ipa_csr, template):
csr = x509.load_pem_x509_csr(ipa_csr, default_backend())
extensions = [
ext for ext in csr.extensions
if ext.oid.dotted_string == template.ext_oid
]
assert extensions
mscs_ext = extensions[0].value
# Crypto 41.0.0 supports cryptography.x509.MSCertificateTemplate
# The extension gets decoded into MSCertificateTemplate which
# provides additional attributes (template_id, major_minor and
# minor_version)
# If the test is executed with an older python-cryptography version,
# the extension is decoded as UnrecognizedExtension instead and
# provides only the encoded payload
if isinstance(mscs_ext, x509.UnrecognizedExtension):
assert mscs_ext.value == template.get_ext_data()
else:
# Compare the decoded extension with the values specified in the
# template with a format name_or_oid:major:minor
parts = template.unparsed_input.split(':')
assert mscs_ext.template_id.dotted_string == parts[0]
if isinstance(template, ipa_x509.MSCSTemplateV2):
# Also contains OID:major[:minor]
major = int(parts[1])
assert major == mscs_ext.major_version
if len(parts) > 2:
minor = int(parts[2])
assert minor == mscs_ext.minor_version
class TestExternalCA(IntegrationTest):
"""
Test of FreeIPA server installation with external CA
"""
num_replicas = 1
num_clients = 1
def test_external_ca(self):
# Step 1 of ipa-server-install.
result = install_server_external_ca_step1(
self.master, extra_args=['--external-ca-type=ms-cs']
)
assert result.returncode == 0
# check CSR for extension
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
check_mscs_extension(ipa_csr, ipa_x509.MSCSTemplateV1(u'SubCA'))
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(
self.master, ipa_ca_fname, root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
# check that we can also install replica
tasks.install_replica(self.master, self.replicas[0])
# check that nsds5ReplicaReleaseTimeout option was set
result = tasks.ldapsearch_dm(
self.master,
'cn=mapping tree,cn=config',
['(cn=replica)'],
)
# case insensitive match
text = result.stdout_text.lower()
# see ipaserver.install.replication.REPLICA_FINAL_SETTINGS
assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text
assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_client_installation_with_otp(self):
# Test for issue 7526: client installation fails with one-time
# password when the master is installed with an externally signed
# CA because the whole cert chain is not published in
# /usr/share/ipa/html/ca.crt
# Create a random password for the client
client = self.clients[0]
client_pwd = 'Secret123'
args = ['ipa',
'host-add', client.hostname,
'--ip-address', client.ip,
'--no-reverse',
'--password', client_pwd]
self.master.run_command(args)
# Enroll the client with the client_pwd
client.run_command(
['ipa-client-install',
'--domain', self.master.domain.name,
'--server', self.master.hostname,
'-w', client_pwd,
'-U'])
class TestExternalCAConstraints(IntegrationTest):
"""Test of FreeIPA server installation with external CA and constraints
"""
num_replicas = 0
num_clients = 1
def test_external_ca_constrained(self):
install_server_external_ca_step1(self.master)
# name constraints for IPA DNS domain (dot prefix)
nameconstraint = x509.NameConstraints(
permitted_subtrees=[
x509.DNSName("." + self.master.domain.name),
],
excluded_subtrees=None
)
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA,
root_ca_extensions=[nameconstraint],
)
install_server_external_ca_step2(
self.master, ipa_ca_fname, root_ca_fname
)
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'ping'])
def verify_caentry(host, cert):
"""
Verify the content of cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,basedn
and make sure that ipaConfigString contains the expected values.
Verify the content of cn=cacert,cn=certificates,cn=ipa,cn=etc,basedn
and make sure that it contains the expected certificate.
"""
# Check the LDAP entry
ldap = host.ldap_connect()
# cn=DOMAIN IPA CA must contain ipaConfigString: ipaCa, compatCA
ca_nick = '{} IPA CA'.format(host.domain.realm)
entry = ldap.get_entry(DN(('cn', ca_nick), ('cn', 'certificates'),
('cn', 'ipa'), ('cn', 'etc'),
host.domain.basedn))
ipaconfigstring = [x.lower() for x in entry.get('ipaconfigstring')]
expected = ['compatca', 'ipaca']
assert expected == sorted(ipaconfigstring)
# cn=cacert,cn=certificates,cn=etc,basedn must contain the latest
# IPA CA
entry2 = ldap.get_entry(DN(('cn', 'CACert'), ('cn', 'ipa'),
('cn', 'etc'), host.domain.basedn))
cert_from_ldap = entry2.single_value['cACertificate']
assert cert == cert_from_ldap
class TestSelfExternalSelf(IntegrationTest):
"""
Test self-signed > external CA > self-signed test case.
"""
def test_install_master(self):
result = tasks.install_master(self.master)
assert result.returncode == 0
# Check the content of the ldap entries for the CA
remote_cacrt = self.master.get_file_contents(paths.IPA_CA_CRT)
cacrt = ipa_x509.load_pem_x509_certificate(remote_cacrt)
verify_caentry(self.master, cacrt)
def test_switch_to_external_ca(self):
result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
'--external-ca'])
assert result.returncode == 0
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA)
# renew CA with externally signed one
result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
'--external-cert-file={}'.
format(ipa_ca_fname),
'--external-cert-file={}'.
format(root_ca_fname)])
assert result.returncode == 0
# update IPA certificate databases
result = self.master.run_command([paths.IPA_CERTUPDATE])
assert result.returncode == 0
# Check if external CA have "C" flag after the switch
result = check_CA_flag(self.master)
assert bool(result), ('External CA does not have "C" flag')
# Check that ldap entries for the CA have been updated
remote_cacrt = self.master.get_file_contents(ipa_ca_fname)
cacrt = ipa_x509.load_pem_x509_certificate(remote_cacrt)
verify_caentry(self.master, cacrt)
def test_issuerDN_after_renew_to_external(self):
""" Check if issuer DN is updated after self-signed > external-ca
This test checks if issuer DN is updated properly after CA is
renewed from self-signed to external-ca
"""
check_ipaca_issuerDN(self.master, "CN={}".format(ISSUER_CN))
def test_switch_back_to_self_signed(self):
# for journalctl --since
switch_time = time.strftime('%Y-%m-%d %H:%M:%S')
# switch back to self-signed CA
result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
'--self-signed'])
assert result.returncode == 0
# Confirm there is no traceback in the journal
result = match_in_journal(self.master, since=switch_time,
string='Traceback')
assert not bool(result), ('"Traceback" keyword found in the journal.'
'Please check further')
# Check if pki-tomcatd was started after switching back.
result = match_in_journal(self.master, since=switch_time,
string=PKI_START_STR)
assert bool(result), ('pki_tomcatd not started after switching back to'
'self-signed CA')
result = self.master.run_command([paths.IPA_CERTUPDATE])
assert result.returncode == 0
def test_issuerDN_after_renew_to_self_signed(self):
""" Check if issuer DN is updated after external-ca > self-signed
This test checks if issuer DN is updated properly after CA is
renewed back from external-ca to self-signed
"""
issuer_dn = 'CN=Certificate Authority,O={}'.format(
self.master.domain.realm)
check_ipaca_issuerDN(self.master, issuer_dn)
class TestExternalCAdirsrvStop(IntegrationTest):
"""When the dirsrv service, which gets started during the first
ipa-server-install --external-ca phase, is not running when the
second phase is run with --external-cert-file options, the
ipa-server-install command fail.
This test checks if second phase installs successfully when dirsrv
is stoped.
related ticket: https://pagure.io/freeipa/issue/6611"""
def test_external_ca_dirsrv_stop(self):
# Step 1 of ipa-server-install
result = install_server_external_ca_step1(self.master)
assert result.returncode == 0
# stop dirsrv server.
service_control_dirsrv(self.master, 'stop')
# Sign CA, transport it to the host and get ipa and root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(
self.master, ipa_ca_fname, root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
class TestExternalCAInvalidCert(IntegrationTest):
"""Manual renew external CA cert with invalid file"""
def test_external_ca(self):
# Step 1 of ipa-server-install.
install_server_external_ca_step1(self.master)
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
install_server_external_ca_step2(self.master, ipa_ca_fname,
root_ca_fname)
self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
'--external-ca'])
result = self.master.run_command(['grep', '-v', 'CERTIFICATE',
ipa_ca_fname])
contents = result.stdout_text
BAD_CERT = 'bad_ca.crt'
invalid_cert = os.path.join(self.master.config.test_dir, BAD_CERT)
self.master.put_file_contents(invalid_cert, contents)
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA)
# renew CA with invalid cert
cmd = [paths.IPA_CACERT_MANAGE, 'renew', '--external-cert-file',
invalid_cert, '--external-cert-file', root_ca_fname]
result = self.master.run_command(cmd, raiseonerr=False)
assert result.returncode == 1
def test_external_ca_with_too_small_key(self):
# reuse the existing deployment and renewal CSR
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA, key_size=1024)
cmd = [
paths.IPA_CACERT_MANAGE, 'renew',
'--external-cert-file', ipa_ca_fname,
'--external-cert-file', root_ca_fname,
]
result = self.master.run_command(cmd, raiseonerr=False)
assert result.returncode == 1
class TestExternalCAInvalidIntermediate(IntegrationTest):
"""Test case for https://pagure.io/freeipa/issue/7877"""
def test_invalid_intermediate(self):
install_server_external_ca_step1(self.master)
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA,
root_ca_path_length=0
)
result = install_server_external_ca_step2(
self.master, ipa_ca_fname, root_ca_fname, raiseonerr=False
)
assert result.returncode > 0
assert "basic contraint pathlen" in result.stderr_text
class TestExternalCAInstall(IntegrationTest):
"""install CA cert manually """
def test_install_master(self):
# step 1 install ipa-server
tasks.install_master(self.master)
def test_install_external_ca(self):
# Create root CA
external_ca = ExternalCA()
# Create root CA
root_ca = external_ca.create_ca()
root_ca_fname = os.path.join(self.master.config.test_dir, ROOT_CA)
# Transport certificates (string > file) to master
self.master.put_file_contents(root_ca_fname, root_ca)
# Install new cert
self.master.run_command([paths.IPA_CACERT_MANAGE, 'install',
root_ca_fname])
class TestMultipleExternalCA(IntegrationTest):
"""Setup externally signed ca1
install ipa-server with externally signed ca1
Setup externally signed ca2 and renew ipa-server with
externally signed ca2 and check the difference in certificate
"""
def test_master_install_ca1(self):
install_server_external_ca_step1(self.master)
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname1 = tasks.create_temp_file(
self.master, directory=paths.TMP, suffix="root_ca.crt"
)
ipa_ca_fname1 = tasks.create_temp_file(
self.master, directory=paths.TMP, suffix="ipa_ca.crt"
)
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
external_ca = ExternalCA()
root_ca = external_ca.create_ca(cn='RootCA1')
ipa_ca = external_ca.sign_csr(ipa_csr)
self.master.put_file_contents(root_ca_fname1, root_ca)
self.master.put_file_contents(ipa_ca_fname1, ipa_ca)
# Step 2 of ipa-server-install.
install_server_external_ca_step2(self.master, ipa_ca_fname1,
root_ca_fname1)
cert_nick = "caSigningCert cert-pki-ca"
result = self.master.run_command([
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
'-n', cert_nick])
assert "CN=RootCA1" in result.stdout_text
def test_master_install_ca2(self):
root_ca_fname2 = tasks.create_temp_file(
self.master, directory=paths.TMP, suffix="root_ca.crt"
)
ipa_ca_fname2 = tasks.create_temp_file(
self.master, directory=paths.TMP, suffix="ipa_ca.crt"
)
self.master.run_command([
paths.IPA_CACERT_MANAGE, 'renew', '--external-ca'])
ipa_csr = self.master.get_file_contents(paths.IPA_CA_CSR)
external_ca = ExternalCA()
root_ca = external_ca.create_ca(cn='RootCA2')
ipa_ca = external_ca.sign_csr(ipa_csr)
self.master.put_file_contents(root_ca_fname2, root_ca)
self.master.put_file_contents(ipa_ca_fname2, ipa_ca)
# Step 2 of ipa-server-install.
self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
'--external-cert-file', ipa_ca_fname2,
'--external-cert-file', root_ca_fname2])
cert_nick = "caSigningCert cert-pki-ca"
result = self.master.run_command([
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
'-n', cert_nick])
assert "CN=RootCA2" in result.stdout_text
def _step1_profile(master, s):
return install_server_external_ca_step1(
master,
extra_args=['--external-ca-type=ms-cs', f'--external-ca-profile={s}'],
raiseonerr=False,
)
def _test_invalid_profile(master, profile):
result = _step1_profile(master, profile)
assert result.returncode != 0
assert '--external-ca-profile' in result.stderr_text
def _test_valid_profile(master, profile_cls, profile):
result = _step1_profile(master, profile)
assert result.returncode == 0
ipa_csr = master.get_file_contents(paths.ROOT_IPA_CSR)
check_mscs_extension(ipa_csr, profile_cls(profile))
class TestExternalCAProfileScenarios(IntegrationTest):
"""
Test the various --external-ca-profile scenarios.
This test is broken into sections, with each section first
testing invalid arguments, then a valid argument, and finally
uninstalling the half-installed IPA.
"""
'''
Tranche 1: version 1 templates.
Test that --external-ca-profile=Foo gets propagated to the CSR.
The default template extension when --external-ca-type=ms-cs,
a V1 extension with value "SubCA", already gets tested by the
``TestExternalCA`` class.
We only need to do Step 1 of installation, then check the CSR.
'''
def test_invalid_v1_template(self):
_test_invalid_profile(self.master, 'NotAnOid:1')
def test_valid_v1_template(self):
_test_valid_profile(
self.master, ipa_x509.MSCSTemplateV1, 'TemplateOfAwesome')
def test_uninstall_1(self):
tasks.uninstall_master(self.master)
'''
Tranche 2: V2 templates without minor version.
Test that V2 template specifiers without minor version get
propagated to CSR. This class also tests all error modes in
specifying a V2 template, those being:
- no major version specified
- too many parts specified (i.e. major, minor, and then some more)
- major version is not an int
- major version is negative
- minor version is not an int
- minor version is negative
We only need to do Step 1 of installation, then check the CSR.
'''
def test_v2_template_too_few_parts(self):
_test_invalid_profile(self.master, '1.2.3.4')
def test_v2_template_too_many_parts(self):
_test_invalid_profile(self.master, '1.2.3.4:100:200:300')
def test_v2_template_major_version_not_int(self):
_test_invalid_profile(self.master, '1.2.3.4:wat:200')
def test_v2_template_major_version_negative(self):
_test_invalid_profile(self.master, '1.2.3.4:-1:200')
def test_v2_template_minor_version_not_int(self):
_test_invalid_profile(self.master, '1.2.3.4:100:wat')
def test_v2_template_minor_version_negative(self):
_test_invalid_profile(self.master, '1.2.3.4:100:-2')
def test_v2_template_valid_major_only(self):
_test_valid_profile(
self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100')
def test_uninstall_2(self):
tasks.uninstall_master(self.master)
'''
Tranche 3: V2 templates with minor version.
Test that V2 template specifiers _with_ minor version get
propagated to CSR. All error modes of V2 template specifiers
were tested in ``TestExternalCAProfileV2Major``.
We only need to do Step 1 of installation, then check the CSR.
'''
def test_v2_template_valid_major_minor(self):
_test_valid_profile(
self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100:200')
# this is the end; no need to uninstall.