URL: https://github.com/freeipa/freeipa/pull/2706
Author: flo-renaud
 Title: #2706: pkinit enable: use local dogtag only if host has CA
Action: opened

PR body:
"""
## pkinit enable: use local dogtag only if host has CA

`ipa-pkinit-manage enable` is failing if called on a master that does not have 
a CA instance, because it is trying to contact dogtag on the localhost.
The command should rather use certmonger in this case, and let certmonger 
contact the right master to request the KDC certificate.

Fixes: https://pagure.io/freeipa/issue/7795

## ipatests: add integration test for pkinit enable on replica

`ipa-pkinit-manage` enable was failing when run on a replica without a CA 
instance.
Add a test with the following scenario:
- install a replica with `--no-pkinit`
- check that the KDC cert is self signed
- call `ipa-pkinit-manage enable`
- check that the KDC cert is signed by IPA CA

Related to https://pagure.io/freeipa/issue/7795
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2706/head:pr2706
git checkout pr2706
From 64e0b7678494885ca1b41cc8b3a91ba0b42095fc Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Thu, 20 Dec 2018 08:56:56 +0100
Subject: [PATCH 1/3] pkinit enable: use local dogtag only if host has CA

ipa-pkinit-manage enable is failing if called on a master
that does not have a CA instance, because it is trying to
contact dogtag on the localhost.
The command should rather use certmonger in this case, and
let certmonger contact the right master to request the KDC
certificate.

Fixes: https://pagure.io/freeipa/issue/7795
---
 ipaserver/install/krbinstance.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 850946afb4..8ac125fa36 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -45,6 +45,7 @@
 from ipaserver.install import ldapupdate
 
 from ipaserver.install import certs
+from ipaserver.masters import find_providing_servers
 from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
@@ -428,10 +429,13 @@ def _call_certmonger(self, certmonger_ca='IPA'):
             prev_helper = None
             # on the first CA-ful master without '--no-pkinit', we issue the
             # certificate by contacting Dogtag directly
+            localhost_has_ca = self.fqdn in find_providing_servers(
+                'CA', conn=self.api.Backend.ldap2, api=self.api)
             use_dogtag_submit = all(
                 [self.master_fqdn is None,
                  self.pkcs12_info is None,
-                 self.config_pkinit])
+                 self.config_pkinit,
+                 localhost_has_ca])
 
             if use_dogtag_submit:
                 ca_args = [

From 418e1086cc346f1afbe7b4a0e57fb1c1b8aebc43 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Thu, 20 Dec 2018 09:01:29 +0100
Subject: [PATCH 2/3] ipatests: add integration test for pkinit enable on
 replica

ipa-pkinit-manage enable was failing when run on a replica
without a CA instance.
Add a test with the following scenario:
- install a replica with --no-pkinit
- check that the KDC cert is self signed
- call ipa-pkinit-manage enable
- check that the KDC cert is signed by IPA CA

Related to https://pagure.io/freeipa/issue/7795
---
 ipatests/test_integration/test_pkinit_manage.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/ipatests/test_integration/test_pkinit_manage.py b/ipatests/test_integration/test_pkinit_manage.py
index bc1d9e338c..e74ad43559 100644
--- a/ipatests/test_integration/test_pkinit_manage.py
+++ b/ipatests/test_integration/test_pkinit_manage.py
@@ -92,6 +92,8 @@ class TestPkinitManage(IntegrationTest):
     certificate that is tracked by certmonger with the SelfSigned helper.
     """
 
+    num_replicas = 1
+
     @classmethod
     def install(cls, mh):
         # Install the master with PKINIT disabled
@@ -109,3 +111,18 @@ def test_pkinit_disable(self):
     def test_pkinit_reenable(self):
         self.master.run_command(['ipa-pkinit-manage', 'enable'])
         check_pkinit(self.master, enabled=True)
+
+    def test_pkinit_on_replica(self):
+        """Test pkinit enable on a replica without CA
+
+        Test case for ticket 7795.
+        Install a replica with --no-pkinit (without CA)
+        then call ipa-pkinit-manage enable. The replica must contact
+        a master with a CA instance to get its KDC cert.
+        """
+        tasks.install_replica(self.master, self.replicas[0], setup_ca=False,
+                              extra_args=['--no-pkinit'])
+        check_pkinit(self.replicas[0], enabled=False)
+
+        self.replicas[0].run_command(['ipa-pkinit-manage', 'enable'])
+        check_pkinit(self.replicas[0], enabled=True)

From bb747ce4f18e0985ed9f64b940e2d38e3636aa7f Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Thu, 20 Dec 2018 09:04:13 +0100
Subject: [PATCH 3/3] temp commit to test ipa-pkinit-manage enable

Please remove before pushing
---
 .freeipa-pr-ci.yaml                        | 2 +-
 ipatests/prci_definitions/temp_commit.yaml | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 120000
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index d5c2b59ae7..4ae253a288 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -45,14 +45,14 @@ jobs:
         timeout: 1800
         topology: *build
 
-  fedora-29/temp_commit:
+  fedora-29/test_pkinit_manage:
     requires: [fedora-29/build]
     priority: 50
     job:
       class: RunPytest
       args:
         build_url: '{fedora-29/build_url}'
-        test_suite: test_integration/test_REPLACEME.py
+        test_suite: test_integration/test_pkinit_manage.py
         template: *ci-master-f29
         timeout: 3600
-        topology: *master_1repl_1client
+        topology: *master_1repl
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

Reply via email to