URL: https://github.com/freeipa/freeipa/pull/1372
Author: Rezney
Title: #1372: Test self-signed > external CA > self-signed test case.
Action: opened
PR body:
"""
Various changes are being done in this PR:
1. In order to avoid boilerplate code we add a function for signing a CA.
2. We add self-signed > external CA > self-signed test case itself + introduce
two new constants.
3. We move create_caless_pki.py and create_external_ca.py modules to
pytest_plugins. Details:
Till now both create_caless_pki.py and create_external_ca.py were
stored in test_integration folder. However when trying to import
e.g. "from create_external_ca import ExternalCA" from tasks.py
where all other integration test`s support functions lives we get
"AttributeError: module 'pytest' has no attribute 'config' as pytest
was not completely initialized at the moment of the import.
Backtrace from the issue:
`
File "/usr/lib/python3.6/site-packages/_pytest/config.py", line 421, in
consider_module
self._import_plugin_specs(getattr(mod, 'pytest_plugins', []))
File "/usr/lib/python3.6/site-packages/_pytest/config.py", line 426, in
_import_plugin_specs
self.import_plugin(import_spec)
File "/usr/lib/python3.6/site-packages/_pytest/config.py", line 443, in
import_plugin
__import__(importspec)
File
"/usr/lib/python3.6/site-packages/ipatests/pytest_plugins/integration/__init__.py",
line 37, in <module>
from . import tasks
File "<frozen importlib._bootstrap>", line 961, in _find_and_load
File "<frozen importlib._bootstrap>", line 950, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 646, in _load_unlocked
File "<frozen importlib._bootstrap>", line 616, in _load_backward_compatible
File "/usr/lib/python3.6/site-packages/_pytest/assertion/rewrite.py", line
212, in load_module
py.builtin.exec_(co, mod.__dict__)
File
"/usr/lib/python3.6/site-packages/ipatests/pytest_plugins/integration/tasks.py",
line 47, in <module>
from ipatests.test_integration.create_external_ca import ExternalCA
File
"/usr/lib/python3.6/site-packages/ipatests/test_integration/__init__.py", line
22, in <module>
ipatests.util.check_ipaclient_unittests()
File "/usr/lib/python3.6/site-packages/ipatests/util.py", line 71, in
check_ipaclient_unittests
if pytest.config.getoption('ipaclient_unittests', False):
AttributeError: module 'pytest' has no attribute 'config'
`
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1372/head:pr1372
git checkout pr1372
From 90e96b42c2fc107449f879bb28eff0024afd9c43 Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Wed, 6 Dec 2017 11:34:47 +0100
Subject: [PATCH 1/4] paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants
Add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants which will be
used in test_external_ca test suite.
https://pagure.io/freeipa/issue/7302
---
ipaplatform/base/paths.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 9f62fdd6e4..8baf03babb 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -270,6 +270,8 @@ class BasePathNamespace(object):
DNSSEC_TOKENS_DIR = "/var/lib/ipa/dnssec/tokens"
DNSSEC_SOFTHSM_PIN = "/var/lib/ipa/dnssec/softhsm_pin"
IPA_CA_CSR = "/var/lib/ipa/ca.csr"
+ IPA_CACERT_MANAGE = "/usr/sbin/ipa-cacert-manage"
+ IPA_CERTUPDATE = "/usr/sbin/ipa-certupdate"
PKI_CA_PUBLISH_DIR = "/var/lib/ipa/pki-ca/publish"
REPLICA_INFO_TEMPLATE = "/var/lib/ipa/replica-info-%s"
REPLICA_INFO_GPG_TEMPLATE = "/var/lib/ipa/replica-info-%s.gpg"
From c1817631f408c9b0ce5f8176c6c1a8e2da27cd20 Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Wed, 6 Dec 2017 11:49:09 +0100
Subject: [PATCH 2/4] test_tasks: add sign_ca_and_transport() function
Add sign_ca_and_transport() function which will sign provided csr
and transport root CA and signed IPA CA to the host.
https://pagure.io/freeipa/issue/7302
---
ipatests/pytest_plugins/integration/tasks.py | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py
index b407145ace..ae3f4d780d 100644
--- a/ipatests/pytest_plugins/integration/tasks.py
+++ b/ipatests/pytest_plugins/integration/tasks.py
@@ -42,6 +42,7 @@
from ipalib.constants import (
DEFAULT_CONFIG, DOMAIN_SUFFIX_NAME, DOMAIN_LEVEL_0)
+from .create_external_ca import ExternalCA
from .env_config import env_to_script
from .host import Host
@@ -1381,3 +1382,30 @@ def add_dns_zone(master, zone, skip_overlap_check=False,
host.hostname + ".", '--a-rec', host.ip])
else:
logger.debug('Zone %s already added.', zone)
+
+
+def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name):
+ """
+ Sign ipa csr and save signed CA together with root CA back to the host.
+ Returns root CA and IPA CA paths on the host.
+ """
+
+ test_dir = host.config.test_dir
+
+ # Get IPA CSR as bytes
+ ipa_csr = host.get_file_contents(csr_name)
+
+ external_ca = ExternalCA()
+ # Create root CA
+ root_ca = external_ca.create_ca()
+ # Sign CSR
+ ipa_ca = external_ca.sign_csr(ipa_csr)
+
+ root_ca_fname = os.path.join(test_dir, root_ca_name)
+ ipa_ca_fname = os.path.join(test_dir, ipa_ca_name)
+
+ # Transport certificates (string > file) to master
+ host.put_file_contents(root_ca_fname, root_ca)
+ host.put_file_contents(ipa_ca_fname, ipa_ca)
+
+ return (root_ca_fname, ipa_ca_fname)
From 449d015efaaf781feb9a479f21ef242b8d4b6c2d Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Wed, 6 Dec 2017 11:53:35 +0100
Subject: [PATCH 3/4] test_external_ca: selfsigned->ext_ca->selfsigned
Add selfsigned > external_ca > selfsigned test case.
Covers Pagure issue #7106
https://pagure.io/freeipa/issue/7302
---
ipatests/test_integration/test_external_ca.py | 68 +++++++++++++++++++--------
1 file changed, 49 insertions(+), 19 deletions(-)
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index e3c44100e4..a154c23ce5 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -15,11 +15,13 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import os
from ipatests.pytest_plugins.integration import tasks
from ipatests.test_integration.base import IntegrationTest
-from ipatests.test_integration.create_external_ca import ExternalCA
+from ipaplatform.paths import paths
+
+IPA_CA = 'ipa_ca.crt'
+ROOT_CA = 'root_ca.crt'
class TestExternalCA(IntegrationTest):
@@ -40,23 +42,10 @@ def test_external_ca(self):
'--external-ca'
])
- test_dir = self.master.config.test_dir
-
- # Get IPA CSR as bytes
- ipa_csr = self.master.get_file_contents('/root/ipa.csr')
-
- external_ca = ExternalCA()
- # Create root CA
- root_ca = external_ca.create_ca()
- # Sign CSR
- ipa_ca = external_ca.sign_csr(ipa_csr)
-
- root_ca_fname = os.path.join(test_dir, 'root_ca.crt')
- ipa_ca_fname = os.path.join(test_dir, 'ipa_ca.crt')
-
- # Transport certificates (string > file) to master
- self.master.put_file_contents(root_ca_fname, root_ca)
- self.master.put_file_contents(ipa_ca_fname, ipa_ca)
+ # Sign CA, transport it to the host and get ipa a root ca paths.
+ root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
+ self.master, paths.ROOT_IPA_CSR, ROOT_CA,
+ IPA_CA)
# Step 2 of ipa-server-install
self.master.run_command([
@@ -71,3 +60,44 @@ def test_external_ca(self):
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
+
+
+class TestSelfExternalSelf(IntegrationTest):
+ """
+ Test self-signed > external CA > self-signed test case.
+ """
+ def test_install_master(self):
+ tasks.install_master(self.master)
+
+ def test_switch_to_external_ca(self):
+
+ result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
+ '--external-ca'])
+ assert result.returncode == 0
+
+ # Sign CA, transport it to the host and get ipa a root ca paths.
+ root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
+ self.master, paths.IPA_CA_CSR, ROOT_CA,
+ IPA_CA)
+
+ # renew CA with externally signed one
+ result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
+ '--external-cert-file={}'.
+ format(ipa_ca_fname),
+ '--external-cert-file={}'.
+ format(root_ca_fname)])
+ assert result.returncode == 0
+
+ # update IPA certificate databases
+ result = self.master.run_command([paths.IPA_CERTUPDATE])
+ assert result.returncode == 0
+
+ def test_switch_back_to_self_signed(self):
+
+ # switch back to self-signed CA
+ result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
+ '--self-signed'])
+ assert result.returncode == 0
+
+ result = self.master.run_command([paths.IPA_CERTUPDATE])
+ assert result.returncode == 0
From 276f281af05c11bdfd323c43b4550c52a9308841 Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Thu, 7 Dec 2017 14:46:06 +0100
Subject: [PATCH 4/4] tests: move CA related modules to pytest_plugins
Till now both create_caless_pki.py and create_external_ca.py were
stored in test_integration folder. However when trying to import
e.g. "from create_external_ca import ExternalCA" from tasks.py
where all other integration test`s support functions lives we get
"AttributeError: module 'pytest' has no attribute 'config' as pytest
was not completely initialized at the moment of the import.
https://pagure.io/freeipa/issue/7302
---
.../integration}/create_caless_pki.py | 0
.../integration}/create_external_ca.py | 0
ipatests/test_integration/test_caless.py | 4 ++--
3 files changed, 2 insertions(+), 2 deletions(-)
rename ipatests/{test_integration => pytest_plugins/integration}/create_caless_pki.py (100%)
rename ipatests/{test_integration => pytest_plugins/integration}/create_external_ca.py (100%)
diff --git a/ipatests/test_integration/create_caless_pki.py b/ipatests/pytest_plugins/integration/create_caless_pki.py
similarity index 100%
rename from ipatests/test_integration/create_caless_pki.py
rename to ipatests/pytest_plugins/integration/create_caless_pki.py
diff --git a/ipatests/test_integration/create_external_ca.py b/ipatests/pytest_plugins/integration/create_external_ca.py
similarity index 100%
rename from ipatests/test_integration/create_external_ca.py
rename to ipatests/pytest_plugins/integration/create_external_ca.py
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 76f40292fd..429bee4312 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -32,9 +32,9 @@
from ipaplatform.paths import paths
from ipapython.dn import DN
from ipatests.test_integration.base import IntegrationTest
-from ipatests.test_integration import create_caless_pki
-from ipatests.test_integration.create_external_ca import ExternalCA
from ipatests.pytest_plugins.integration import tasks
+from ipatests.pytest_plugins.integration.create_external_ca import ExternalCA
+from ipatests.pytest_plugins.integration import create_caless_pki
from ipalib.constants import DOMAIN_LEVEL_0
if six.PY3:
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
