mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 08:41:55 -06:00
8124b1bd4c
Based on userspace FIPS mode by Ondrej Moris. Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space programs behave like the Kernel was booted in FIPS enforcing mode. Kernel space code still runs in standard mode. Fixes: https://pagure.io/freeipa/issue/8118 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
128 lines
3.9 KiB
Python
128 lines
3.9 KiB
Python
#
|
|
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
|
|
#
|
|
"""Smoke tests for FreeIPA installation in (fake) userspace FIPS mode
|
|
"""
|
|
from ipapython.dn import DN
|
|
from ipapython.ipautil import ipa_generate_password, realm_to_suffix
|
|
|
|
from ipatests.pytest_ipa.integration import tasks
|
|
from ipatests.pytest_ipa.integration import fips
|
|
from ipatests.test_integration.base import IntegrationTest
|
|
|
|
from .test_dnssec import (
|
|
test_zone,
|
|
dnssec_install_master,
|
|
dnszone_add_dnssec,
|
|
wait_until_record_is_signed,
|
|
)
|
|
|
|
|
|
class TestInstallFIPS(IntegrationTest):
|
|
num_replicas = 1
|
|
num_clients = 1
|
|
fips_mode = True
|
|
|
|
@classmethod
|
|
def install(cls, mh):
|
|
super(TestInstallFIPS, cls).install(mh)
|
|
# sanity check
|
|
for host in cls.get_all_hosts():
|
|
assert host.is_fips_mode
|
|
assert fips.is_fips_enabled(host)
|
|
# patch named-pkcs11 crypto policy
|
|
# see RHBZ#1772111
|
|
for host in [cls.master] + cls.replicas:
|
|
host.run_command(
|
|
[
|
|
"sed",
|
|
"-i",
|
|
"-E",
|
|
"s/RSAMD5;//g",
|
|
"/etc/crypto-policies/back-ends/bind.config",
|
|
]
|
|
)
|
|
# master with CA, KRA, DNS+DNSSEC
|
|
tasks.install_master(cls.master, setup_dns=True, setup_kra=True)
|
|
# replica with CA, KRA, DNS
|
|
tasks.install_replica(
|
|
cls.master,
|
|
cls.replicas[0],
|
|
setup_dns=True,
|
|
setup_ca=True,
|
|
setup_kra=True,
|
|
)
|
|
tasks.install_clients([cls.master] + cls.replicas, cls.clients)
|
|
|
|
def test_basic(self):
|
|
client = self.clients[0]
|
|
tasks.kinit_admin(client)
|
|
client.run_command(["ipa", "ping"])
|
|
|
|
def test_dnssec(self):
|
|
dnssec_install_master(self.master)
|
|
# DNSSEC zone
|
|
dnszone_add_dnssec(self.master, test_zone)
|
|
assert wait_until_record_is_signed(
|
|
self.master.ip, test_zone, timeout=100
|
|
), ("Zone %s is not signed (master)" % test_zone)
|
|
|
|
# test replica
|
|
assert wait_until_record_is_signed(
|
|
self.replicas[0].ip, test_zone, timeout=200
|
|
), ("DNS zone %s is not signed (replica)" % test_zone)
|
|
|
|
def test_vault_basic(self):
|
|
vault_name = "testvault"
|
|
vault_password = ipa_generate_password()
|
|
vault_data = "SSBsb3ZlIENJIHRlc3RzCg=="
|
|
# create vault
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"vault-add",
|
|
vault_name,
|
|
"--password",
|
|
vault_password,
|
|
"--type",
|
|
"symmetric",
|
|
]
|
|
)
|
|
|
|
# archive secret
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"vault-archive",
|
|
vault_name,
|
|
"--password",
|
|
vault_password,
|
|
"--data",
|
|
vault_data,
|
|
]
|
|
)
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"vault-retrieve",
|
|
vault_name,
|
|
"--password",
|
|
vault_password,
|
|
]
|
|
)
|
|
|
|
def test_krb_enctypes(self):
|
|
realm = self.master.domain.realm
|
|
suffix = realm_to_suffix(realm)
|
|
dn = DN(("cn", realm), ("cn", "kerberos")) + suffix
|
|
args = ["krbSupportedEncSaltTypes", "krbDefaultEncSaltTypes"]
|
|
for host in [self.master] + self.replicas:
|
|
result = tasks.ldapsearch_dm(host, str(dn), args, scope="base")
|
|
assert "camellia" not in result.stdout_text
|
|
assert "aes256-cts" in result.stdout_text
|
|
assert "aes128-cts" in result.stdout_text
|
|
# test that update does not add camellia
|
|
self.master.run_command(["ipa-server-upgrade"])
|
|
result = tasks.ldapsearch_dm(self.master, str(dn), args, scope="base")
|
|
assert "camellia" not in result.stdout_text
|