URL: https://github.com/freeipa/freeipa/pull/1372
Author: Rezney
 Title: #1372: Test self-signed > external CA > self-signed test case.
Action: opened

PR body:
"""
Various changes are being done in this PR:

1. In order to avoid boilerplate code we add a function for signing a CA.
2. We add self-signed > external CA > self-signed test case itself + introduce 
two new constants.
3. We move create_caless_pki.py and create_external_ca.py modules to 
pytest_plugins. Details:

Till now both create_caless_pki.py and create_external_ca.py were
stored in test_integration folder. However when trying to import
e.g. "from create_external_ca import ExternalCA" from tasks.py
where all other integration test`s support functions lives we get
"AttributeError: module 'pytest' has no attribute 'config' as pytest
was not completely initialized at the moment of the import.

Backtrace from the issue:

`
  File "/usr/lib/python3.6/site-packages/_pytest/config.py", line 421, in 
consider_module
    self._import_plugin_specs(getattr(mod, 'pytest_plugins', []))
  File "/usr/lib/python3.6/site-packages/_pytest/config.py", line 426, in 
_import_plugin_specs
    self.import_plugin(import_spec)
  File "/usr/lib/python3.6/site-packages/_pytest/config.py", line 443, in 
import_plugin
    __import__(importspec)
  File 
"/usr/lib/python3.6/site-packages/ipatests/pytest_plugins/integration/__init__.py",
 line 37, in <module>
    from . import tasks
  File "<frozen importlib._bootstrap>", line 961, in _find_and_load
  File "<frozen importlib._bootstrap>", line 950, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 646, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 616, in _load_backward_compatible
  File "/usr/lib/python3.6/site-packages/_pytest/assertion/rewrite.py", line 
212, in load_module
    py.builtin.exec_(co, mod.__dict__)
  File 
"/usr/lib/python3.6/site-packages/ipatests/pytest_plugins/integration/tasks.py",
 line 47, in <module>
    from ipatests.test_integration.create_external_ca import ExternalCA
  File 
"/usr/lib/python3.6/site-packages/ipatests/test_integration/__init__.py", line 
22, in <module>
    ipatests.util.check_ipaclient_unittests()
  File "/usr/lib/python3.6/site-packages/ipatests/util.py", line 71, in 
check_ipaclient_unittests
    if pytest.config.getoption('ipaclient_unittests', False):
AttributeError: module 'pytest' has no attribute 'config'
`


"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1372/head:pr1372
git checkout pr1372
From 90e96b42c2fc107449f879bb28eff0024afd9c43 Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Wed, 6 Dec 2017 11:34:47 +0100
Subject: [PATCH 1/4] paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants

Add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants which will be
used in test_external_ca test suite.

https://pagure.io/freeipa/issue/7302
---
 ipaplatform/base/paths.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 9f62fdd6e4..8baf03babb 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -270,6 +270,8 @@ class BasePathNamespace(object):
     DNSSEC_TOKENS_DIR = "/var/lib/ipa/dnssec/tokens"
     DNSSEC_SOFTHSM_PIN = "/var/lib/ipa/dnssec/softhsm_pin"
     IPA_CA_CSR = "/var/lib/ipa/ca.csr"
+    IPA_CACERT_MANAGE = "/usr/sbin/ipa-cacert-manage"
+    IPA_CERTUPDATE = "/usr/sbin/ipa-certupdate"
     PKI_CA_PUBLISH_DIR = "/var/lib/ipa/pki-ca/publish"
     REPLICA_INFO_TEMPLATE = "/var/lib/ipa/replica-info-%s"
     REPLICA_INFO_GPG_TEMPLATE = "/var/lib/ipa/replica-info-%s.gpg"

From c1817631f408c9b0ce5f8176c6c1a8e2da27cd20 Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Wed, 6 Dec 2017 11:49:09 +0100
Subject: [PATCH 2/4] test_tasks: add sign_ca_and_transport() function

Add sign_ca_and_transport() function which will sign provided csr
and transport root CA and signed IPA CA to the host.

https://pagure.io/freeipa/issue/7302
---
 ipatests/pytest_plugins/integration/tasks.py | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py
index b407145ace..ae3f4d780d 100644
--- a/ipatests/pytest_plugins/integration/tasks.py
+++ b/ipatests/pytest_plugins/integration/tasks.py
@@ -42,6 +42,7 @@
 from ipalib.constants import (
     DEFAULT_CONFIG, DOMAIN_SUFFIX_NAME, DOMAIN_LEVEL_0)
 
+from .create_external_ca import ExternalCA
 from .env_config import env_to_script
 from .host import Host
 
@@ -1381,3 +1382,30 @@ def add_dns_zone(master, zone, skip_overlap_check=False,
                                     host.hostname + ".", '--a-rec', host.ip])
     else:
         logger.debug('Zone %s already added.', zone)
+
+
+def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name):
+    """
+    Sign ipa csr and save signed CA together with root CA back to the host.
+    Returns root CA and IPA CA paths on the host.
+    """
+
+    test_dir = host.config.test_dir
+
+    # Get IPA CSR as bytes
+    ipa_csr = host.get_file_contents(csr_name)
+
+    external_ca = ExternalCA()
+    # Create root CA
+    root_ca = external_ca.create_ca()
+    # Sign CSR
+    ipa_ca = external_ca.sign_csr(ipa_csr)
+
+    root_ca_fname = os.path.join(test_dir, root_ca_name)
+    ipa_ca_fname = os.path.join(test_dir, ipa_ca_name)
+
+    # Transport certificates (string > file) to master
+    host.put_file_contents(root_ca_fname, root_ca)
+    host.put_file_contents(ipa_ca_fname, ipa_ca)
+
+    return (root_ca_fname, ipa_ca_fname)

From 449d015efaaf781feb9a479f21ef242b8d4b6c2d Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Wed, 6 Dec 2017 11:53:35 +0100
Subject: [PATCH 3/4] test_external_ca: selfsigned->ext_ca->selfsigned

Add selfsigned > external_ca > selfsigned test case.

Covers Pagure issue #7106

https://pagure.io/freeipa/issue/7302
---
 ipatests/test_integration/test_external_ca.py | 68 +++++++++++++++++++--------
 1 file changed, 49 insertions(+), 19 deletions(-)

diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index e3c44100e4..a154c23ce5 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -15,11 +15,13 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import os
 
 from ipatests.pytest_plugins.integration import tasks
 from ipatests.test_integration.base import IntegrationTest
-from ipatests.test_integration.create_external_ca import ExternalCA
+from ipaplatform.paths import paths
+
+IPA_CA = 'ipa_ca.crt'
+ROOT_CA = 'root_ca.crt'
 
 
 class TestExternalCA(IntegrationTest):
@@ -40,23 +42,10 @@ def test_external_ca(self):
             '--external-ca'
         ])
 
-        test_dir = self.master.config.test_dir
-
-        # Get IPA CSR as bytes
-        ipa_csr = self.master.get_file_contents('/root/ipa.csr')
-
-        external_ca = ExternalCA()
-        # Create root CA
-        root_ca = external_ca.create_ca()
-        # Sign CSR
-        ipa_ca = external_ca.sign_csr(ipa_csr)
-
-        root_ca_fname = os.path.join(test_dir, 'root_ca.crt')
-        ipa_ca_fname = os.path.join(test_dir, 'ipa_ca.crt')
-
-        # Transport certificates (string > file) to master
-        self.master.put_file_contents(root_ca_fname, root_ca)
-        self.master.put_file_contents(ipa_ca_fname, ipa_ca)
+        # Sign CA, transport it to the host and get ipa a root ca paths.
+        root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
+                                      self.master, paths.ROOT_IPA_CSR, ROOT_CA,
+                                      IPA_CA)
 
         # Step 2 of ipa-server-install
         self.master.run_command([
@@ -71,3 +60,44 @@ def test_external_ca(self):
         tasks.kinit_admin(self.master)
         result = self.master.run_command(['ipa', 'user-show', 'admin'])
         assert 'User login: admin' in result.stdout_text
+
+
+class TestSelfExternalSelf(IntegrationTest):
+    """
+    Test self-signed > external CA > self-signed test case.
+    """
+    def test_install_master(self):
+        tasks.install_master(self.master)
+
+    def test_switch_to_external_ca(self):
+
+        result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
+                                         '--external-ca'])
+        assert result.returncode == 0
+
+        # Sign CA, transport it to the host and get ipa a root ca paths.
+        root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
+                                      self.master, paths.IPA_CA_CSR, ROOT_CA,
+                                      IPA_CA)
+
+        # renew CA with externally signed one
+        result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
+                                          '--external-cert-file={}'.
+                                          format(ipa_ca_fname),
+                                          '--external-cert-file={}'.
+                                          format(root_ca_fname)])
+        assert result.returncode == 0
+
+        # update IPA certificate databases
+        result = self.master.run_command([paths.IPA_CERTUPDATE])
+        assert result.returncode == 0
+
+    def test_switch_back_to_self_signed(self):
+
+        # switch back to self-signed CA
+        result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
+                                          '--self-signed'])
+        assert result.returncode == 0
+
+        result = self.master.run_command([paths.IPA_CERTUPDATE])
+        assert result.returncode == 0

From 276f281af05c11bdfd323c43b4550c52a9308841 Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Thu, 7 Dec 2017 14:46:06 +0100
Subject: [PATCH 4/4] tests: move CA related modules to pytest_plugins

Till now both create_caless_pki.py and create_external_ca.py were
stored in test_integration folder. However when trying to import
e.g. "from create_external_ca import ExternalCA" from tasks.py
where all other integration test`s support functions lives we get
"AttributeError: module 'pytest' has no attribute 'config' as pytest
was not completely initialized at the moment of the import.

https://pagure.io/freeipa/issue/7302
---
 .../integration}/create_caless_pki.py                                 | 0
 .../integration}/create_external_ca.py                                | 0
 ipatests/test_integration/test_caless.py                              | 4 ++--
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename ipatests/{test_integration => pytest_plugins/integration}/create_caless_pki.py (100%)
 rename ipatests/{test_integration => pytest_plugins/integration}/create_external_ca.py (100%)

diff --git a/ipatests/test_integration/create_caless_pki.py b/ipatests/pytest_plugins/integration/create_caless_pki.py
similarity index 100%
rename from ipatests/test_integration/create_caless_pki.py
rename to ipatests/pytest_plugins/integration/create_caless_pki.py
diff --git a/ipatests/test_integration/create_external_ca.py b/ipatests/pytest_plugins/integration/create_external_ca.py
similarity index 100%
rename from ipatests/test_integration/create_external_ca.py
rename to ipatests/pytest_plugins/integration/create_external_ca.py
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 76f40292fd..429bee4312 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -32,9 +32,9 @@
 from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
-from ipatests.test_integration import create_caless_pki
-from ipatests.test_integration.create_external_ca import ExternalCA
 from ipatests.pytest_plugins.integration import tasks
+from ipatests.pytest_plugins.integration.create_external_ca import ExternalCA
+from ipatests.pytest_plugins.integration import create_caless_pki
 from ipalib.constants import DOMAIN_LEVEL_0
 
 if six.PY3:
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to