mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
b8947b829b
The test ipatests/test_integration/test_fips.py is faking FIPS mode and calls "openssl md5" to ensure the algo is not available in the fake FIPS mode. The error message has been updated with openssl-3.0.5-5. In the past the command used to return: $ openssl md5 /dev/null Error setting digest 140640350118336:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:147: And now it returns: $ openssl md5 /dev/null Error setting digest 00C224822E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 97), Properties () 00C224822E7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252: To be compatible with all versions, only check the common part: Error setting digest Mark the test as xfail since installation is currently not working. Related: https://pagure.io/freeipa/issue/9002 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
134 lines
4.1 KiB
Python
134 lines
4.1 KiB
Python
#
|
|
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
|
|
#
|
|
"""Smoke tests for FreeIPA installation in (fake) userspace FIPS mode
|
|
"""
|
|
import pytest
|
|
|
|
from ipaplatform.osinfo import osinfo
|
|
from ipapython.dn import DN
|
|
from ipapython.ipautil import ipa_generate_password, realm_to_suffix
|
|
|
|
from ipatests.pytest_ipa.integration import tasks
|
|
from ipatests.pytest_ipa.integration import fips
|
|
from ipatests.test_integration.base import IntegrationTest
|
|
|
|
from .test_dnssec import (
|
|
test_zone,
|
|
dnssec_install_master,
|
|
dnszone_add_dnssec,
|
|
wait_until_record_is_signed,
|
|
)
|
|
|
|
|
|
@pytest.mark.xfail(
|
|
osinfo.id == 'fedora' and osinfo.version_number > (35,),
|
|
reason='freeipa ticket 9002', strict=True)
|
|
class TestInstallFIPS(IntegrationTest):
|
|
num_replicas = 1
|
|
num_clients = 1
|
|
fips_mode = True
|
|
|
|
@classmethod
|
|
def install(cls, mh):
|
|
super(TestInstallFIPS, cls).install(mh)
|
|
# sanity check
|
|
for host in cls.get_all_hosts():
|
|
assert host.is_fips_mode
|
|
assert fips.is_fips_enabled(host)
|
|
# patch named-pkcs11 crypto policy
|
|
# see RHBZ#1772111
|
|
for host in [cls.master] + cls.replicas:
|
|
host.run_command(
|
|
[
|
|
"sed",
|
|
"-i",
|
|
"-E",
|
|
"s/RSAMD5;//g",
|
|
"/etc/crypto-policies/back-ends/bind.config",
|
|
]
|
|
)
|
|
# master with CA, KRA, DNS+DNSSEC
|
|
tasks.install_master(cls.master, setup_dns=True, setup_kra=True)
|
|
# replica with CA, KRA, DNS
|
|
tasks.install_replica(
|
|
cls.master,
|
|
cls.replicas[0],
|
|
setup_dns=True,
|
|
setup_ca=True,
|
|
setup_kra=True,
|
|
)
|
|
tasks.install_clients([cls.master] + cls.replicas, cls.clients)
|
|
|
|
def test_basic(self):
|
|
client = self.clients[0]
|
|
tasks.kinit_admin(client)
|
|
client.run_command(["ipa", "ping"])
|
|
|
|
def test_dnssec(self):
|
|
dnssec_install_master(self.master)
|
|
# DNSSEC zone
|
|
dnszone_add_dnssec(self.master, test_zone)
|
|
assert wait_until_record_is_signed(
|
|
self.master.ip, test_zone, timeout=100
|
|
), ("Zone %s is not signed (master)" % test_zone)
|
|
|
|
# test replica
|
|
assert wait_until_record_is_signed(
|
|
self.replicas[0].ip, test_zone, timeout=200
|
|
), ("DNS zone %s is not signed (replica)" % test_zone)
|
|
|
|
def test_vault_basic(self):
|
|
vault_name = "testvault"
|
|
vault_password = ipa_generate_password()
|
|
vault_data = "SSBsb3ZlIENJIHRlc3RzCg=="
|
|
# create vault
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"vault-add",
|
|
vault_name,
|
|
"--password",
|
|
vault_password,
|
|
"--type",
|
|
"symmetric",
|
|
]
|
|
)
|
|
|
|
# archive secret
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"vault-archive",
|
|
vault_name,
|
|
"--password",
|
|
vault_password,
|
|
"--data",
|
|
vault_data,
|
|
]
|
|
)
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"vault-retrieve",
|
|
vault_name,
|
|
"--password",
|
|
vault_password,
|
|
]
|
|
)
|
|
|
|
def test_krb_enctypes(self):
|
|
realm = self.master.domain.realm
|
|
suffix = realm_to_suffix(realm)
|
|
dn = DN(("cn", realm), ("cn", "kerberos")) + suffix
|
|
args = ["krbSupportedEncSaltTypes", "krbDefaultEncSaltTypes"]
|
|
for host in [self.master] + self.replicas:
|
|
result = tasks.ldapsearch_dm(host, str(dn), args, scope="base")
|
|
assert "camellia" not in result.stdout_text
|
|
assert "aes256-cts" in result.stdout_text
|
|
assert "aes128-cts" in result.stdout_text
|
|
# test that update does not add camellia
|
|
self.master.run_command(["ipa-server-upgrade"])
|
|
result = tasks.ldapsearch_dm(self.master, str(dn), args, scope="base")
|
|
assert "camellia" not in result.stdout_text
|