Hello,
This patch implements the first batch of integration tests for CA-less intallation. Tests from http://www.freeipa.org/page/V3/CA-less_install up to "IPA server install with missing DS PKCS#12 password" are included.


Running this already takes an hour in the lab I use, so I decided to split the patch up and post the first part for review now.

The two tests for revoked certificates fail. This is expected as we don't handle revoked certs yet.

--
PetrĀ³
From bff741accbf2baac2cc82b28a964bb4564bd9bf6 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Tue, 11 Jun 2013 20:25:56 -0400
Subject: [PATCH] Add initial CA-less installation tests

Add the first bunch of tests described at
http://www.freeipa.org/page/V3/CA-less_install
Tests up to "IPA server install with missing DS PKCS#12 password"
are included.
---
 ipatests/setup.py.in                               |   1 +
 .../test_integration/scripts/caless-create-pki     | 113 +++++
 ipatests/test_integration/test_caless.py           | 533 +++++++++++++++++++++
 3 files changed, 647 insertions(+)
 create mode 100644 ipatests/test_integration/scripts/caless-create-pki
 create mode 100644 ipatests/test_integration/test_caless.py

diff --git a/ipatests/setup.py.in b/ipatests/setup.py.in
index 3ea2729ee018f249a7d103140c01fbd95efd17f3..afbe9abc01415feb00aac04c9c15a09296481e01 100644
--- a/ipatests/setup.py.in
+++ b/ipatests/setup.py.in
@@ -79,6 +79,7 @@ def setup_package():
             scripts=['ipa-run-tests', 'ipa-test-config', 'ipa-test-task'],
             package_data = {
                 'ipatests.test_install': ['*.update'],
+                'ipatests.test_integration': ['scripts/*'],
                 'ipatests.test_pkcs10': ['*.csr']}
         )
     finally:
diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki
new file mode 100644
index 0000000000000000000000000000000000000000..fcafce8d3dd5e82a18b70bc467ca8bc70353d418
--- /dev/null
+++ b/ipatests/test_integration/scripts/caless-create-pki
@@ -0,0 +1,113 @@
+#!/bin/bash -e
+
+profile_ca=(-t CT,C,C -v 120)
+profile_server=(-t ,, -v 12)
+
+gen_cert() {
+    local profile="$1" nick="$2" subject="$3" ca options pwfile noise csr crt
+    shift 3
+
+    echo "gen_cert(profile=$profile nick=$nick subject=$subject)"
+
+    ca="$(dirname $nick)"
+    if [ "$ca" = "." ]; then
+        ca="$nick"
+    fi
+
+    eval "options=(\"\${profile_$profile[@]}\")"
+    if [ "$ca" = "$nick" ]; then
+        options=("${options[@]}" -x -m 1)
+    else
+        options=("${options[@]}" -c "$ca")
+    fi
+
+    pwfile="$(mktemp)"
+    echo "$dbpassword" >"$pwfile"
+
+    noise="$(mktemp)"
+    head -c 20 /dev/urandom >"$noise"
+
+    if [ ! -d "$dbdir" ]; then
+        mkdir "$dbdir"
+        certutil -N -d "$dbdir" -f "$pwfile"
+    fi
+
+    csr="$(mktemp)"
+    crt="$(mktemp)"
+    certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" -4 >/dev/null <<EOF
+1
+7
+file://$(readlink -f $dbdir)/$ca.crl
+-1
+-1
+-1
+n
+n
+EOF
+    certutil -C -d "$dbdir" -f "$pwfile" -m "$RANDOM" -i "$csr" -o "$crt" "${options[@]}" "$@"
+    certutil -A -d "$dbdir" -n "$nick" -f "$pwfile" -i "$crt" "${options[@]}"
+
+    rm -f "$pwfile" "$noise" "$csr" "$crt"
+}
+
+revoke_cert() {
+    local nick="$1" ca pwfile serial
+    shift 1
+
+    echo "revoke_cert(nick=$nick)"
+
+    ca="$(dirname $nick)"
+    if [ "$ca" = "." ]; then
+        ca="$nick"
+    fi
+
+    pwfile="$(mktemp)"
+    echo "$dbpassword" >"$pwfile"
+
+    if ! crlutil -L -d "$dbdir" -n "$ca" &>/dev/null; then
+        crlutil -G -d "$dbdir" -n "$ca" -c /dev/null -f "$pwfile"
+    fi
+
+    sleep 1
+
+    mkdir -p "$(dirname $dbdir/$ca.crl)"
+    serial=$(certutil -L -d "$dbdir" -n "$nick" | awk '/^\s+Serial Number: / { print $3 }')
+    crlutil -M -d "$dbdir" -n "$ca" -c /dev/stdin -f "$pwfile" -o "$dbdir/$ca.crl" <<EOF
+addcert $serial $(date -u +%Y%m%d%H%M%SZ)
+EOF
+
+    rm -f "$pwfile"
+}
+
+gen_server_certs() {
+    local nick="$1" hostname="$2" org="$3"
+    shift 3
+
+    echo "gen_server_certs(nick=$nick hostname=$hostname org=$org)"
+
+    gen_cert server "$nick" "CN=$hostname,O=$org" "$@"
+    gen_cert server "$nick-badname" "CN=not-$hostname,O=$org" "$@"
+    gen_cert server "$nick-altname" "CN=alt-$hostname,O=$org" -8 "$hostname" "$@"
+    gen_cert server "$nick-expired" "CN=$hostname,OU=Expired,O=$org" -w -24 "$@"
+    gen_cert server "$nick-badusage" "CN=$hostname,OU=Bad Usage,O=$org" --keyUsage dataEncipherment,keyAgreement "$@"
+    gen_cert server "$nick-revoked" "CN=$hostname,OU=Revoked,O=$org" "$@"
+    revoke_cert "$nick-revoked"
+}
+
+gen_subtree() {
+    local nick="$1" org="$2"
+    shift 2
+
+    echo "gen_subtree(nick=$nick org=$org)"
+
+    gen_cert ca "$nick" "CN=CA,O=$org" "$@"
+    gen_cert server "$nick/wildcard" "CN=*.$domain,O=$org"
+    gen_server_certs "$nick/server" "$server1" "$org"
+    gen_server_certs "$nick/replica" "$server2" "$org"
+}
+
+gen_cert server server-selfsign "CN=$server1,O=Self-signed"
+gen_cert server replica-selfsign "CN=$server2,O=Self-signed"
+gen_subtree ca1 'Example Organization'
+gen_subtree ca1/subca 'Subsidiary Example Organization'
+gen_subtree ca2 'Other Example Organization'
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
new file mode 100644
index 0000000000000000000000000000000000000000..667f63d7deee024c770e518f365efc2c68a678b0
--- /dev/null
+++ b/ipatests/test_integration/test_caless.py
@@ -0,0 +1,533 @@
+# Authors:
+#   Petr Viktorin <pvikt...@redhat.com>
+#
+# Copyright (C) 2013  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import tempfile
+import shutil
+
+from ipapython import ipautil
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration import tasks
+
+_DEFAULT = object()
+
+
+def get_install_stdin(cert_passwords=()):
+    lines = [
+        'yes',  # Existing BIND configuration detected, overwrite? [no]
+        '',  # Server host name (has default)
+        '',  # Confirm domain name (has default)
+    ]
+    lines.extend(cert_passwords)  # Enter foo.p12 unlock password
+    lines += [
+        '',  # Do you want to configure the reverse zone? [yes]
+        '',  # Please specify the reverse zone name [47.34.10.in-addr.arpa.]
+        'yes',  # Continue with these values?
+    ]
+    return '\n'.join(lines + [''])
+
+
+class TestCALessServerInstall(IntegrationTest):
+    num_replicas = 0
+
+    @classmethod
+    def install(cls):
+        cls.cert_dir = tempfile.mkdtemp(prefix="ipatest-")
+        cls.pem_filename = os.path.join(cls.cert_dir, 'root.pem')
+        scriptfile = os.path.join(os.path.dirname(__file__),
+                                  'scripts',
+                                  'caless-create-pki')
+        cls.cert_password = cls.master.config.admin_password
+        env = {
+            'domain': cls.master.domain.name,
+            'server1': cls.master.hostname,
+            'server2': 'unused.test',
+            'dbdir': 'nssdb',
+            'dbpassword': cls.cert_password,
+        }
+        ipautil.run(['bash', '-ex', scriptfile], cwd=cls.cert_dir, env=env)
+
+        tasks.apply_common_fixes(cls.master)
+
+    @classmethod
+    def uninstall(cls):
+        """Remove the NSS database"""
+        super(TestCALessServerInstall, cls).uninstall()
+        shutil.rmtree(cls.cert_dir)
+
+    def install_server(self, host=None,
+                       http_pkcs12='server.p12', dirsrv_pkcs12='server.p12',
+                       http_pkcs12_exists=True, dirsrv_pkcs12_exists=True,
+                       http_pin=_DEFAULT, dirsrv_pin=_DEFAULT,
+                       root_ca_file='root.pem', unattended=True,
+                       stdin_text=None):
+        """Install a CA-less server
+
+        Return value is the remote ipa-server-install command
+        """
+        if host is None:
+            host = self.master
+        if http_pin is _DEFAULT:
+            http_pin = self.cert_password
+        if dirsrv_pin is _DEFAULT:
+            dirsrv_pin = self.cert_password
+
+        files_to_copy = ['root.pem']
+        if http_pkcs12_exists:
+            files_to_copy.append(http_pkcs12)
+        if dirsrv_pkcs12_exists:
+            files_to_copy.append(dirsrv_pkcs12)
+        for filename in set(files_to_copy):
+            host.put_file(os.path.join(self.cert_dir, filename),
+                          os.path.join(host.config.test_dir, filename))
+
+        self.collect_log(host, '/var/log/ipaserver-install.log')
+        self.collect_log(host, '/var/log/ipaclient-install.log')
+        inst = host.domain.realm.replace('.', '-')
+        self.collect_log(host, '/var/log/dirsrv/slapd-%s/errors' % inst)
+        self.collect_log(host, '/var/log/dirsrv/slapd-%s/access' % inst)
+
+        args = [
+            'ipa-server-install',
+            '--http_pkcs12', http_pkcs12,
+            '--dirsrv_pkcs12', dirsrv_pkcs12,
+            '--root-ca-file', root_ca_file,
+            '--ip-address', host.ip,
+            '-r', host.domain.name,
+            '-p', host.config.dirman_password,
+            '-a', host.config.admin_password,
+            '--setup-dns',
+            '--forwarder', host.config.dns_forwarder,
+        ]
+
+        if http_pin:
+            args.extend(['--http_pin', http_pin])
+        if dirsrv_pin:
+            args.extend(['--dirsrv_pin', dirsrv_pin])
+        if unattended:
+            args.extend(['-U'])
+
+        return host.run_command(args, raiseonerr=False, stdin_text=stdin_text)
+
+    def tearDown(self):
+        self.master.run_command(['ipa-server-install', '--uninstall', '-U'])
+        # Remove CA cert in /etc/pki/nssdb, in case of failed (un)install
+        self.master.run_command(['certutil', '-d', '/etc/pki/nssdb', '-D',
+                                 '-n', 'External CA cert'], raiseonerr=False)
+
+    def export_pkcs12(self, nickname, filename='server.p12'):
+        """Export a cert as PKCS#12 to the given file"""
+        ipautil.run(['pk12util',
+                     '-o', filename,
+                     '-n', nickname,
+                     '-d', 'nssdb',
+                     '-K', self.cert_password,
+                     '-W', self.cert_password], cwd=self.cert_dir)
+
+    def get_pem(self, nickname):
+        pem_cert, _stderr, _returncode = ipautil.run(
+            ['certutil', '-L', '-d', 'nssdb', '-n', nickname, '-a'],
+            cwd=self.cert_dir)
+        return pem_cert
+
+    def test_nonexistent_ca_pem_file(self):
+        "IPA server install with non-existent CA PEM file "
+
+        self.export_pkcs12('ca1/server')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca2'))
+
+        result = self.install_server(root_ca_file='does_not_exist')
+        assert result.returncode > 0
+        assert ('Failed to open does_not_exist: No such file or directory'
+                in result.stderr_text), result.stderr_text
+
+    def test_unknown_ca(self):
+        "IPA server install with CA PEM file with unknown CA certificate"
+
+        self.export_pkcs12('ca1/server')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca2'))
+
+        result = self.install_server()
+        assert result.returncode > 0
+        assert ('server.p12 is not signed by root.pem, or the full '
+                'certificate chain is not present in the PKCS#12 '
+                'file' in result.stderr_text), result.stderr_text
+
+    def test_ca_server_cert(self):
+        "IPA server install with CA PEM file with server certificate"
+
+        self.export_pkcs12('ca1/server')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1/server'))
+
+        result = self.install_server()
+        assert result.returncode > 0
+        assert ('The server certificate in server.p12 is not valid: '
+                "(SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer "
+                'is not recognized.' in result.stderr_text), result.stderr_text
+
+    def test_ca_2_certs(self):
+        "IPA server install with CA PEM file with 2 certificates"
+
+        self.export_pkcs12('ca1/server')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+            f.write(self.get_pem('ca2'))
+
+        result = self.install_server()
+        assert result.returncode > 0
+        assert ('root.pem contains more than one certificate' in
+                result.stderr_text), result.stderr_text
+
+    def test_nonexistent_http_pkcs12_file(self):
+        "IPA server install with non-existent HTTP PKCS#12 file"
+
+        self.export_pkcs12('ca1/server')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='does_not_exist',
+                                     http_pkcs12_exists=False)
+        assert result.returncode > 0
+        assert ('Failed to open does_not_exist' in
+                result.stderr_text), result.stderr_text
+
+    def test_nonexistent_ds_pkcs12_file(self):
+        "IPA server install with non-existent DS PKCS#12 file"
+
+        self.export_pkcs12('ca1/server')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(dirsrv_pkcs12='does_not_exist',
+                                     dirsrv_pkcs12_exists=False)
+        assert result.returncode > 0
+        assert ('Failed to open does_not_exist' in
+                result.stderr_text), result.stderr_text
+
+    def test_missing_http_password(self):
+        "IPA server install with missing HTTP PKCS#12 password (unattended)"
+
+        self.export_pkcs12('ca1/server')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pin=False)
+        assert result.returncode > 0
+        assert ('ipa-server-install: error: You must specify --http_pin with '
+                '--http_pkcs12' in result.stderr_text), result.stderr_text
+
+    def test_missing_ds_password(self):
+        "IPA server install with missing DS PKCS#12 password (unattended)"
+
+        self.export_pkcs12('ca1/server')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(dirsrv_pin=False)
+        assert result.returncode > 0
+        assert ('ipa-server-install: error: You must specify --dirsrv_pin '
+                'with --dirsrv_pkcs12'
+                in result.stderr_text), result.stderr_text
+
+    def test_incorect_http_pin(self):
+        "IPA server install with incorrect HTTP PKCS#12 password"
+
+        self.export_pkcs12('ca1/server')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pin='bad<pin>')
+        assert result.returncode > 0
+        assert ('incorrect password for pkcs#12 file server.p12' in
+                result.stderr_text), result.stderr_text
+
+    def test_incorect_ds_pin(self):
+        "IPA server install with incorrect DS PKCS#12 password"
+
+        self.export_pkcs12('ca1/server')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(dirsrv_pin='bad<pin>')
+        assert result.returncode > 0
+        assert ('incorrect password for pkcs#12 file server.p12' in
+                result.stderr_text), result.stderr_text
+
+    def test_invalid_http_cn(self):
+        "IPA server install with HTTP certificate with invalid CN"
+
+        self.export_pkcs12('ca1/server-badname', filename='http.p12')
+        self.export_pkcs12('ca1/server', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode > 0
+        assert (('The server certificate in http.p12 is not valid: '
+                'invalid for server %s' % self.master.hostname) in
+                result.stderr_text), result.stderr_text
+
+    def test_invalid_ds_cn(self):
+        "IPA server install with DS certificate with invalid CN"
+
+        self.export_pkcs12('ca1/server', filename='http.p12')
+        self.export_pkcs12('ca1/server-badname', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode > 0
+        assert (('The server certificate in dirsrv.p12 is not valid: '
+                'invalid for server %s' % self.master.hostname) in
+                result.stderr_text), result.stderr_text
+
+    def test_expired_http(self):
+        "IPA server install with expired HTTP certificate"
+
+        self.export_pkcs12('ca1/server-expired', filename='http.p12')
+        self.export_pkcs12('ca1/server', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode > 0
+        assert ('The server certificate in http.p12 is not valid: '
+                "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
+                'expired.' in result.stderr_text), result.stderr_text
+
+    def test_expired_ds(self):
+        "IPA server install with expired DS certificate"
+
+        self.export_pkcs12('ca1/server', filename='http.p12')
+        self.export_pkcs12('ca1/server-expired', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode > 0
+        assert ('The server certificate in dirsrv.p12 is not valid: '
+                "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
+                'expired.' in result.stderr_text), result.stderr_text
+
+    def test_http_bad_usage(self):
+        "IPA server install with HTTP certificate with invalid key usage"
+
+        self.export_pkcs12('ca1/server-badusage', filename='http.p12')
+        self.export_pkcs12('ca1/server', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode > 0
+        assert ('The server certificate in http.p12 is not valid: '
+                'invalid for a SSL server'
+                in result.stderr_text), result.stderr_text
+
+    def test_ds_bad_usage(self):
+        "IPA server install with DS certificate with invalid key usage"
+
+        self.export_pkcs12('ca1/server', filename='http.p12')
+        self.export_pkcs12('ca1/server-badusage', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode > 0
+        assert ('The server certificate in dirsrv.p12 is not valid: '
+                'invalid for a SSL server'
+                in result.stderr_text), result.stderr_text
+
+    def test_revoked_http(self):
+        "IPA server install with revoked HTTP certificate"
+
+        self.export_pkcs12('ca1/server-revoked', filename='http.p12')
+        self.export_pkcs12('ca1/server', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode > 0
+
+    def test_revoked_ds(self):
+        "IPA server install with revoked DS certificate"
+
+        self.export_pkcs12('ca1/server', filename='http.p12')
+        self.export_pkcs12('ca1/server-revoked', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode > 0
+
+    def test_http_intermediate_ca(self):
+        "IPA server install with HTTP certificate issued by intermediate CA"
+
+        self.export_pkcs12('ca1/subca/server', filename='http.p12')
+        self.export_pkcs12('ca1/server', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode > 0
+        assert ('http.p12 is not signed by root.pem, or the full '
+                'certificate chain is not present in the PKCS#12 file'
+                in result.stderr_text), result.stderr_text
+
+    def test_ds_intermediate_ca(self):
+        "IPA server install with DS certificate issued by intermediate CA"
+
+        self.export_pkcs12('ca1/server', filename='http.p12')
+        self.export_pkcs12('ca1/subca/server', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode > 0
+        assert ('dirsrv.p12 is not signed by root.pem, or the full '
+                'certificate chain is not present in the PKCS#12 file'
+                in result.stderr_text), result.stderr_text
+
+    def test_ca_self_signed(self):
+        "IPA server install with self-signed certificate"
+
+        self.export_pkcs12('server-selfsign')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('server-selfsign'))
+
+        result = self.install_server()
+        assert result.returncode > 0
+
+    def test_valid_certs(self):
+        "IPA server install with valid certificates"
+
+        self.export_pkcs12('ca1/server')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server()
+        assert result.returncode == 0
+        self.verify_installed_certs()
+
+    def test_wildcard_http(self):
+        "IPA server install with wildcard HTTP certificate"
+
+        self.export_pkcs12('ca1/wildcard', filename='http.p12')
+        self.export_pkcs12('ca1/server', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode == 0
+        self.verify_installed_certs()
+
+    def test_wildcard_ds(self):
+        "IPA server install with wildcard DS certificate"
+
+        self.export_pkcs12('ca1/server', filename='http.p12')
+        self.export_pkcs12('ca1/wildcard', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode == 0
+        self.verify_installed_certs()
+
+    def test_http_san(self):
+        "IPA server install with HTTP certificate with SAN"
+
+        self.export_pkcs12('ca1/server-altname', filename='http.p12')
+        self.export_pkcs12('ca1/server', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode == 0
+        self.verify_installed_certs()
+
+    def test_ds_san(self):
+        "IPA server install with DS certificate with SAN"
+
+        self.export_pkcs12('ca1/server', filename='http.p12')
+        self.export_pkcs12('ca1/server-altname', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12')
+        assert result.returncode == 0
+        self.verify_installed_certs()
+
+    def test_interactive_missing_http_pkcs_password(self):
+        "IPA server install with prompt for HTTP PKCS#12 password"
+
+        self.export_pkcs12('ca1/server')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        stdin_text = get_install_stdin(cert_passwords=[self.cert_password])
+
+        result = self.install_server(http_pin=False, unattended=False,
+                                     stdin_text=stdin_text)
+        assert result.returncode == 0
+        self.verify_installed_certs()
+        assert ('Enter server.p12 unlock password:'
+                in result.stdout_text), result.stdout_text
+
+    def test_interactive_missing_ds_pkcs_password(self):
+        "IPA server install with prompt for DS PKCS#12 password"
+
+        self.export_pkcs12('ca1/server')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        stdin_text = get_install_stdin(cert_passwords=[self.cert_password])
+
+        result = self.install_server(dirsrv_pin=False, unattended=False,
+                                     stdin_text=stdin_text)
+        assert result.returncode == 0
+        self.verify_installed_certs()
+        assert ('Enter server.p12 unlock password:'
+                in result.stdout_text), result.stdout_text
+
+    def verify_installed_certs(self):
+        """Verify CA PEM file created by install
+
+        Called from every positive server install test
+        """
+        with open(self.pem_filename) as f:
+            expected_cacrt = f.read()
+        remote_cacrt = self.master.get_file_contents('/etc/ipa/ca.crt')
+        self.log.debug('/etc/ipa/ca.crt contents:\n%s', remote_cacrt)
+        assert expected_cacrt == remote_cacrt
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to