URL: https://github.com/freeipa/freeipa/pull/1618 Author: Rezney Title: #1618: [Backport][ipa-4-6] - test PKINIT and anchor update Action: opened
PR body: """ Add test case for installing PKINIT and anchor update when using 3rd party CA after caless installation. Related to #6831 issue. https://pagure.io/freeipa/issue/7233 Reviewed-By: Christian Heimes <chei...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1618/head:pr1618 git checkout pr1618
From 3685bae4ddbcb3bbcd73965d829f1b8a2827c015 Mon Sep 17 00:00:00 2001 From: Michal Reznik <mrez...@redhat.com> Date: Wed, 25 Oct 2017 18:08:03 +0200 Subject: [PATCH] test_caless: test PKINIT install and anchor update Add test case for installing PKINIT and anchor update when using 3rd party CA after caless installation. Related to #6831 issue. https://pagure.io/freeipa/issue/7233 Reviewed-By: Christian Heimes <chei...@redhat.com> --- ipatests/test_integration/test_caless.py | 41 ++++++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 7 deletions(-) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index 36592af5d7..c6f75cc120 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -122,6 +122,8 @@ class CALessBase(IntegrationTest): def install(cls, mh): cls.cert_dir = tempfile.mkdtemp(prefix="ipatest-") cls.pem_filename = os.path.join(cls.cert_dir, 'root.pem') + cls.ca2_crt = 'ca2_crt.pem' + cls.ca2_kdc_crt = 'ca2_kdc_crt.pem' cls.cert_password = cls.master.config.admin_password cls.crl_path = os.path.join(cls.master.config.test_dir, 'crl') @@ -321,7 +323,7 @@ def create_pkcs12(cls, nickname, filename='server.p12', password=None): # to construct whole chain e.g "ca1 - ca1/sub - ca1/sub/server" for index, _value in enumerate(nick_chain): - cert_nick = '/'.join(nick_chain[:index+1]) + cert_nick = '/'.join(nick_chain[:index + 1]) cert_path = '{}.crt'.format(os.path.join(cls.cert_dir, cert_nick)) if os.path.isfile(cert_path): fname_chain.append(cert_path) @@ -334,15 +336,17 @@ def create_pkcs12(cls, nickname, filename='server.p12', password=None): ipautil.run(["openssl", "pkcs12", "-export", "-out", filename, "-inkey", key_fname, "-in", certchain_fname, "-passin", - "pass:"+cls.cert_password, "-passout", "pass:"+password, - "-name", nickname], cwd=cls.cert_dir) + "pass:" + cls.cert_password, "-passout", "pass:" + + password, "-name", nickname], cwd=cls.cert_dir) @classmethod - def prepare_cacert(cls, nickname): + def prepare_cacert(cls, nickname, filename=None): """ Prepare pem file for root_ca_file/ca-cert-file option """ + if filename is None: + filename = cls.pem_filename.split(os.sep)[-1] # create_caless_pki saves certificates with ".crt" extension by default fname_from_nick = '{}.crt'.format(os.path.join(cls.cert_dir, nickname)) - shutil.copy(fname_from_nick, cls.pem_filename) + shutil.copy(fname_from_nick, os.path.join(cls.cert_dir, filename)) @classmethod def get_pem(cls, nickname): @@ -433,7 +437,10 @@ def test_ca_2_certs(self): self.create_pkcs12('ca1/server') self.prepare_cacert('ca1') - self.prepare_cacert('ca2') + self.prepare_cacert('ca2', filename=self.ca2_crt) + with open(self.pem_filename, 'a') as ca1: + with open(os.path.join(self.cert_dir, self.ca2_crt), 'r') as ca2: + ca1.write(ca2.read()) result = self.install_server() assert_error(result, 'root.pem contains more than one certificate') @@ -1267,7 +1274,7 @@ def certinstall(self, mode, cert_nick=None, cert_exists=True, filename='server.p12', pin=_DEFAULT, stdin_text=None, p12_pin=None, args=None): if cert_nick: - self.create_pkcs12(cert_nick, password=p12_pin) + self.create_pkcs12(cert_nick, password=p12_pin, filename=filename) if pin is _DEFAULT: pin = self.cert_password if cert_exists: @@ -1493,6 +1500,26 @@ def test_ds_old_options(self): args=args, stdin_text=stdin_text) assert_error(result, "no such option: --dirsrv-pin") + def test_anon_pkinit_with_external_CA(self): + + test_dir = self.master.config.test_dir + self.prepare_cacert('ca2', filename=self.ca2_crt) + self.copy_cert(self.master, self.ca2_crt) + + result = self.master.run_command(['ipa-cacert-manage', 'install', + os.path.join(test_dir, self.ca2_crt)] + ) + assert result.returncode == 0 + result = self.master.run_command(['ipa-certupdate']) + assert result.returncode == 0 + result = self.certinstall('k', 'ca2/server-kdc', + filename=self.ca2_kdc_crt) + assert result.returncode == 0 + result = self.master.run_command(['systemctl', 'restart', 'krb5kdc']) + assert result.returncode == 0 + result = self.master.run_command(['kinit', '-n']) + assert result.returncode == 0 + class TestPKINIT(CALessBase): """Install master and replica with PKINIT"""
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org