Hi all, It's been a while, and now the patch seems to be stable. It does hit one known issue with replica installation occationally [1], but other than that works fine on both domain levels.
[1] https://fedorahosted.org/freeipa/ticket/5758
From a773c297f37340f36cf257a2b5b75eb8199bd47d Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Tue, 8 Dec 2015 10:49:18 +0100 Subject: [PATCH] Updated the script creating test certificate chains https://fedorahosted.org/freeipa/ticket/4589 --- .../test_integration/scripts/caless-create-pki | 29 ++++++++++++++-------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki index f428ebae16e05644a875a35faf192f75eb149740..4c37077ffdecfb0c70663c7c4817f102154d3b26 100644 --- a/ipatests/test_integration/scripts/caless-create-pki +++ b/ipatests/test_integration/scripts/caless-create-pki @@ -3,7 +3,17 @@ profile_ca=(-t CT,C,C -v 120) profile_server=(-t ,, -v 12) -crl_path=${crl_path-$(readlink -f $dbdir)} +# crl_path=${crl_path-$(readlink -f $dbdir)} +profile_ca_request_options=(-1 -2 -4) +profile_ca_request_input="\$'0\n1\n5\n6\n9\ny\ny\n\ny\n1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'" +profile_ca_create_options=(-v 120) +profile_ca_add_options=(-t ,,) + +profile_server_request_options=(-4) +profile_server_request_input="\$'1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'" +profile_server_create_options=(-v 12) +profile_server_add_options=(-t ,,) + serial_number=0 @@ -18,7 +28,11 @@ gen_cert() { ca="$nick" fi + echo $profile eval "options=(\"\${profile_$profile[@]}\")" + eval "request_options=(\"\${profile_${profile}_request_options[@]}\")" + eval "eval request_input=(\"\${profile_${profile}_request_input[@]}\")" + if [ "$ca" = "$nick" ]; then options=("${options[@]}" -x -m 1) else @@ -38,16 +52,7 @@ gen_cert() { csr="$(mktemp)" crt="$(mktemp)" - certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" -4 >/dev/null <<EOF -1 -7 -file://$crl_path/$ca.crl --1 --1 --1 -n -n -EOF + certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" "${request_options[@]}" >/dev/null <<<"$request_input" serial_number=$(($serial_number+1)) certutil -C -d "$dbdir" -f "$pwfile" -m "$serial_number" -i "$csr" -o "$crt" "${options[@]}" "$@" certutil -A -d "$dbdir" -n "$nick" -f "$pwfile" -i "$crt" "${options[@]}" @@ -117,3 +122,5 @@ gen_cert server replica-selfsign "CN=$server2,O=Self-signed" gen_subtree ca1 'Example Organization' gen_subtree ca1/subca 'Subsidiary Example Organization' gen_subtree ca2 'Other Example Organization' +gen_subtree ca3 'Unknown Organization' +certutil -D -d "$dbdir" -n ca3 -- 2.4.3
From 33cebeadefe95cd1b89f4dcd7488db7fc78b0bd0 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Fri, 8 Apr 2016 16:38:39 +0200 Subject: [PATCH] Actualized ca-less tests https://fedorahosted.org/freeipa/ticket/4589 --- ipatests/test_integration/test_caless.py | 448 +++++++++++++++++-------------- 1 file changed, 244 insertions(+), 204 deletions(-) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index fdc4fc8efe73631e9ab03f3b9019444f7d7e09ec..4ee728f4095b188bb126a125241e1d1631ff3335 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -32,20 +32,19 @@ from ipaplatform.paths import paths from ipapython.dn import DN from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration import tasks +from env_config import get_global_config +from ipalib.constants import DOMAIN_LEVEL_0 _DEFAULT = object() +config = get_global_config() def get_install_stdin(cert_passwords=()): lines = [ - 'yes', # Existing BIND configuration detected, overwrite? [no] '', # Server host name (has default) - '', # Confirm domain name (has default) ] lines.extend(cert_passwords) # Enter foo.p12 unlock password lines += [ - '', # Do you want to configure the reverse zone? [yes] - '', # Please specify the reverse zone name [47.34.10.in-addr.arpa.] 'yes', # Continue with these values? ] return '\n'.join(lines + ['']) @@ -86,22 +85,23 @@ class CALessBase(IntegrationTest): client_hostname = cls.clients[0].hostname else: client_hostname = 'unused-client.test' - env = { + cls.env = { 'domain': cls.master.domain.name, 'server1': cls.master.hostname, 'server2': replica_hostname, 'client': client_hostname, 'dbdir': 'nssdb', - 'dbpassword': cls.cert_password, 'crl_path': cls.crl_path, + 'dirman_password': cls.master.config.dirman_password, } - ipautil.run(['bash', '-ex', scriptfile], cwd=cls.cert_dir, env=env) + ipautil.run(['bash', '-ex', scriptfile], cwd=cls.cert_dir, env=cls.env) for host in cls.get_all_hosts(): tasks.apply_common_fixes(host) # Copy CRLs over base = os.path.join(cls.cert_dir, 'nssdb') + host.transport.mkdir_recursive(host.config.test_dir) host.transport.mkdir_recursive(cls.crl_path) for source in glob.glob(os.path.join(base, '*.crl')): dest = os.path.join(cls.crl_path, os.path.basename(source)) @@ -112,6 +112,10 @@ class CALessBase(IntegrationTest): # Remove the NSS database shutil.rmtree(cls.cert_dir) + # Remove CA cert in /etc/pki/nssdb, in case of failed (un)install + for host in cls.get_all_hosts(): + cls.uninstall_server(host) + super(CALessBase, cls).uninstall(mh) @classmethod @@ -140,6 +144,11 @@ class CALessBase(IntegrationTest): for filename in set(files_to_copy): cls.copy_cert(host, filename) + # Remove existing ca certs from default database to avoid conflicts + args = ["certutil", "-D", "-d", "/etc/httpd/alias", "-n"] + host.run_command(args + ["ca1"], raiseonerr=False) + host.run_command(args + ["ca1/server"], raiseonerr=False) + host.collect_log(paths.IPASERVER_INSTALL_LOG) host.collect_log(paths.IPACLIENT_INSTALL_LOG) inst = host.domain.realm.replace('.', '-') @@ -152,11 +161,14 @@ class CALessBase(IntegrationTest): '--dirsrv-cert-file', dirsrv_pkcs12, '--ca-cert-file', root_ca_file, '--ip-address', host.ip, - '-r', host.domain.name, + '-n', host.domain.name, + '-r', host.domain.realm, '-p', host.config.dirman_password, '-a', host.config.admin_password, '--setup-dns', '--forwarder', host.config.dns_forwarder, + '--auto-reverse', + '--domain-level', str(config.domain_level) ] if http_pin is not None: @@ -165,7 +177,6 @@ class CALessBase(IntegrationTest): args.extend(['--dirsrv-pin', dirsrv_pin]) if unattended: args.extend(['-U']) - return host.run_command(args, raiseonerr=False, stdin_text=stdin_text) @classmethod @@ -178,13 +189,24 @@ class CALessBase(IntegrationTest): if host is None: host = self.master host.run_command(['ipa-server-install', '--uninstall', '-U']) + # Remove CA cert in /etc/pki/nssdb, in case of failed (un)install + host.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D', + '-n', 'External CA cert'], + raiseonerr=False) + # A workaround for https://fedorahosted.org/freeipa/ticket/4639 + result = host.run_command(['certutil', '-L', '-d', + paths.HTTPD_ALIAS_DIR]) + for rawcert in result.stdout_text.split('\n')[4: -1]: + cert = rawcert.split(' ')[0] + host.run_command(['certutil', '-D', '-d', paths.HTTPD_ALIAS_DIR, + '-n', cert]) def prepare_replica(self, _replica_number=0, replica=None, master=None, http_pkcs12='replica.p12', dirsrv_pkcs12='replica.p12', http_pkcs12_exists=True, dirsrv_pkcs12_exists=True, http_pin=_DEFAULT, dirsrv_pin=_DEFAULT, root_ca_file='root.pem', unattended=True, - stdin_text=None): + stdin_text=None, domain_level=None): """Prepare a CA-less replica Puts the bundle file into test_dir on the replica if successful, @@ -200,16 +222,27 @@ class CALessBase(IntegrationTest): http_pin = self.cert_password if dirsrv_pin is _DEFAULT: dirsrv_pin = self.cert_password + if domain_level is None: + tasks.kinit_admin(master) + domain_level = tasks.domainlevel(master) files_to_copy = ['root.pem'] if http_pkcs12_exists: files_to_copy.append(http_pkcs12) + if dirsrv_pkcs12_exists: files_to_copy.append(dirsrv_pkcs12) + if domain_level == DOMAIN_LEVEL_0: + destination_host = master + else: + destination_host = replica for filename in set(files_to_copy): - master.transport.put_file( - os.path.join(self.cert_dir, filename), - os.path.join(master.config.test_dir, filename)) + try: + destination_host.transport.put_file( + os.path.join(self.cert_dir, filename), + os.path.join(destination_host.config.test_dir, filename)) + except OSError: + pass replica.collect_log(paths.IPAREPLICA_INSTALL_LOG) replica.collect_log(paths.IPACLIENT_INSTALL_LOG) @@ -217,35 +250,42 @@ class CALessBase(IntegrationTest): replica.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst) replica.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst) - args = [ - 'ipa-replica-prepare', - '--ip-address', replica.ip, - '-p', replica.config.dirman_password, - ] + args = ['-p', replica.config.dirman_password] - if http_pkcs12: + if http_pkcs12_exists: args.extend(['--http-cert-file', http_pkcs12]) - if dirsrv_pkcs12: + if dirsrv_pkcs12_exists: args.extend(['--dirsrv-cert-file', dirsrv_pkcs12]) if http_pin is not None: args.extend(['--http-pin', http_pin]) if dirsrv_pin is not None: args.extend(['--dirsrv-pin', dirsrv_pin]) - args.extend([replica.hostname]) - - result = master.run_command(args, raiseonerr=False, - stdin_text=stdin_text) - - if result.returncode == 0: - replica_bundle = master.get_file_contents( - paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname) - replica.put_file_contents(self.get_replica_filename(replica), - replica_bundle) + if domain_level == DOMAIN_LEVEL_0: + args.insert(0, "ipa-replica-prepare") + args.extend([replica.hostname]) else: - replica.run_command(['rm', self.get_replica_filename(replica)], - raiseonerr=False) + args.insert(0, "ipa-replica-install") + args.extend(['-P', 'admin', '-n', replica.domain.name, + '-r', replica.domain.realm, + '--server', master.hostname]) + if unattended: + args.append('-U') + if tasks.master_authoritative_for_client_domain(master, replica): + args.extend(['--ip-address', replica.ip]) + + result = destination_host.run_command(args, raiseonerr=False, + stdin_text=stdin_text) + if domain_level == DOMAIN_LEVEL_0: + if result.returncode == 0: + replica_bundle = master.get_file_contents( + paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname) + replica.put_file_contents(self.get_replica_filename(replica), + replica_bundle) + else: + replica.run_command(['rm', self.get_replica_filename(replica)], + raiseonerr=False) return result def get_replica_filename(self, replica): @@ -288,7 +328,7 @@ class CALessBase(IntegrationTest): def get_pem(cls, nickname): pem_cert, _stderr, _returncode = ipautil.run( ['certutil', '-L', '-d', 'nssdb', '-n', nickname, '-a'], - cwd=cls.cert_dir) + cwd=cls.cert_dir, capture_output=True) return pem_cert def verify_installation(self): @@ -316,9 +356,7 @@ class CALessBase(IntegrationTest): # Verify certmonger was not started result = host.run_command(['getcert', 'list'], raiseonerr=False) - assert result > 0 - assert ('Please verify that the certmonger service has been ' - 'started.' in result.stdout_text), result.stdout_text + assert result.returncode == 0 for host in self.get_all_hosts(): # Check the cert PEM file @@ -334,9 +372,15 @@ class CALessBase(IntegrationTest): class TestServerInstall(CALessBase): num_replicas = 0 - def tearDown(self): - self.uninstall_server() + def teardown(func): + def wrapped(*args): + try: + func(*args) + finally: + args[0].uninstall_server() + return wrapped + @teardown def test_nonexistent_ca_pem_file(self): "IPA server install with non-existent CA PEM file " @@ -349,42 +393,19 @@ class TestServerInstall(CALessBase): 'Failed to open does_not_exist: No such file ' 'or directory') + @teardown def test_unknown_ca(self): "IPA server install with CA PEM file with unknown CA certificate" - self.export_pkcs12('ca1/server') + self.export_pkcs12('ca3/server') with open(self.pem_filename, 'w') as f: f.write(self.get_pem('ca2')) result = self.install_server() assert_error(result, - 'server.p12 is not signed by root.pem, or the full ' - 'certificate chain is not present in the PKCS#12 ' - 'file') - - def test_ca_server_cert(self): - "IPA server install with CA PEM file with server certificate" - - self.export_pkcs12('ca1/server') - with open(self.pem_filename, 'w') as f: - f.write(self.get_pem('ca1/server')) - - result = self.install_server() - assert_error(result, - 'trust chain of the server certificate in server.p12 ' - 'contains 1 certificates, expected 2') - - def test_ca_2_certs(self): - "IPA server install with CA PEM file with 2 certificates" - - self.export_pkcs12('ca1/server') - with open(self.pem_filename, 'w') as f: - f.write(self.get_pem('ca1')) - f.write(self.get_pem('ca2')) - - result = self.install_server() - assert_error(result, 'root.pem contains more than one certificate') + 'The full certificate chain is not present in server.p12') + @teardown def test_nonexistent_http_pkcs12_file(self): "IPA server install with non-existent HTTP PKCS#12 file" @@ -396,6 +417,7 @@ class TestServerInstall(CALessBase): http_pkcs12_exists=False) assert_error(result, 'Failed to open does_not_exist') + @teardown def test_nonexistent_ds_pkcs12_file(self): "IPA server install with non-existent DS PKCS#12 file" @@ -407,6 +429,7 @@ class TestServerInstall(CALessBase): dirsrv_pkcs12_exists=False) assert_error(result, 'Failed to open does_not_exist') + @teardown def test_missing_http_password(self): "IPA server install with missing HTTP PKCS#12 password (unattended)" @@ -419,6 +442,7 @@ class TestServerInstall(CALessBase): 'ipa-server-install: error: You must specify --http-pin ' 'with --http-cert-file') + @teardown def test_missing_ds_password(self): "IPA server install with missing DS PKCS#12 password (unattended)" @@ -431,7 +455,9 @@ class TestServerInstall(CALessBase): 'ipa-server-install: error: You must specify ' '--dirsrv-pin with --dirsrv-cert-file') - def test_incorect_http_pin(self): + @pytest.mark.xfail(reason='freeipa ticket 5378') + @teardown + def test_incorrect_http_pin(self): "IPA server install with incorrect HTTP PKCS#12 password" self.export_pkcs12('ca1/server') @@ -441,7 +467,9 @@ class TestServerInstall(CALessBase): result = self.install_server(http_pin='bad<pin>') assert_error(result, 'incorrect password for pkcs#12 file server.p12') - def test_incorect_ds_pin(self): + @pytest.mark.xfail(reason='freeipa ticket 5378') + @teardown + def test_incorrect_ds_pin(self): "IPA server install with incorrect DS PKCS#12 password" self.export_pkcs12('ca1/server') @@ -451,6 +479,7 @@ class TestServerInstall(CALessBase): result = self.install_server(dirsrv_pin='bad<pin>') assert_error(result, 'incorrect password for pkcs#12 file server.p12') + @teardown def test_invalid_http_cn(self): "IPA server install with HTTP certificate with invalid CN" @@ -465,6 +494,7 @@ class TestServerInstall(CALessBase): 'The server certificate in http.p12 is not valid: ' 'invalid for server %s' % self.master.hostname) + @teardown def test_invalid_ds_cn(self): "IPA server install with DS certificate with invalid CN" @@ -479,6 +509,7 @@ class TestServerInstall(CALessBase): 'The server certificate in dirsrv.p12 is not valid: ' 'invalid for server %s' % self.master.hostname) + @teardown def test_expired_http(self): "IPA server install with expired HTTP certificate" @@ -494,6 +525,7 @@ class TestServerInstall(CALessBase): "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " 'expired.') + @teardown def test_expired_ds(self): "IPA server install with expired DS certificate" @@ -509,6 +541,7 @@ class TestServerInstall(CALessBase): "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " 'expired.') + @teardown def test_http_bad_usage(self): "IPA server install with HTTP certificate with invalid key usage" @@ -523,6 +556,7 @@ class TestServerInstall(CALessBase): 'The server certificate in http.p12 is not valid: ' 'invalid for a SSL server') + @teardown def test_ds_bad_usage(self): "IPA server install with DS certificate with invalid key usage" @@ -537,6 +571,7 @@ class TestServerInstall(CALessBase): 'The server certificate in dirsrv.p12 is not valid: ' 'invalid for a SSL server') + @teardown def test_revoked_http(self): "IPA server install with revoked HTTP certificate" @@ -549,12 +584,14 @@ class TestServerInstall(CALessBase): dirsrv_pkcs12='dirsrv.p12') if result.returncode == 0: + self.uninstall_server() raise nose.SkipTest( "Known CA-less installation defect, see " + "https://fedorahosted.org/freeipa/ticket/4270";) assert result.returncode > 0 + @teardown def test_revoked_ds(self): "IPA server install with revoked DS certificate" @@ -567,12 +604,14 @@ class TestServerInstall(CALessBase): dirsrv_pkcs12='dirsrv.p12') if result.returncode == 0: + self.uninstall_server() raise nose.SkipTest( "Known CA-less installation defect, see " + "https://fedorahosted.org/freeipa/ticket/4270";) assert result.returncode > 0 + @teardown def test_http_intermediate_ca(self): "IPA server install with HTTP certificate issued by intermediate CA" @@ -583,10 +622,11 @@ class TestServerInstall(CALessBase): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') - assert_error(result, - 'http.p12 is not signed by root.pem, or the full ' - 'certificate chain is not present in the PKCS#12 file') + assert_error(result, 'Apache Server SSL certificate and' + ' Directory Server SSL certificate are not' + ' signed by the same CA certificate') + @teardown def test_ds_intermediate_ca(self): "IPA server install with DS certificate issued by intermediate CA" @@ -598,9 +638,10 @@ class TestServerInstall(CALessBase): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'dirsrv.p12 is not signed by root.pem, or the full ' - 'certificate chain is not present in the PKCS#12 file') + 'Apache Server SSL certificate and Directory Server SSL' + ' certificate are not signed by the same CA certificate') + @teardown def test_ca_self_signed(self): "IPA server install with self-signed certificate" @@ -611,6 +652,7 @@ class TestServerInstall(CALessBase): result = self.install_server() assert result.returncode > 0 + @teardown def test_valid_certs(self): "IPA server install with valid certificates" @@ -622,6 +664,8 @@ class TestServerInstall(CALessBase): assert result.returncode == 0 self.verify_installation() + @pytest.mark.xfail(reason='freeipa ticket 5603') + @teardown def test_wildcard_http(self): "IPA server install with wildcard HTTP certificate" @@ -635,6 +679,8 @@ class TestServerInstall(CALessBase): assert result.returncode == 0 self.verify_installation() + @pytest.mark.xfail(reason='freeipa ticket 5603') + @teardown def test_wildcard_ds(self): "IPA server install with wildcard DS certificate" @@ -648,6 +694,7 @@ class TestServerInstall(CALessBase): assert result.returncode == 0 self.verify_installation() + @teardown def test_http_san(self): "IPA server install with HTTP certificate with SAN" @@ -661,6 +708,7 @@ class TestServerInstall(CALessBase): assert result.returncode == 0 self.verify_installation() + @teardown def test_ds_san(self): "IPA server install with DS certificate with SAN" @@ -674,6 +722,7 @@ class TestServerInstall(CALessBase): assert result.returncode == 0 self.verify_installation() + @teardown def test_interactive_missing_http_pkcs_password(self): "IPA server install with prompt for HTTP PKCS#12 password" @@ -687,9 +736,10 @@ class TestServerInstall(CALessBase): stdin_text=stdin_text) assert result.returncode == 0 self.verify_installation() - assert ('Enter server.p12 unlock password:' + assert ('Enter Apache Server private key unlock password' in result.stdout_text), result.stdout_text + @teardown def test_interactive_missing_ds_pkcs_password(self): "IPA server install with prompt for DS PKCS#12 password" @@ -703,9 +753,10 @@ class TestServerInstall(CALessBase): stdin_text=stdin_text) assert result.returncode == 0 self.verify_installation() - assert ('Enter server.p12 unlock password:' + assert ('Enter Directory Server private key unlock password' in result.stdout_text), result.stdout_text + @teardown def test_no_http_password(self): "IPA server install with empty HTTP password" @@ -720,6 +771,7 @@ class TestServerInstall(CALessBase): assert result.returncode == 0 self.verify_installation() + @teardown def test_no_ds_password(self): "IPA server install with empty DS password" @@ -738,60 +790,63 @@ class TestServerInstall(CALessBase): class TestReplicaInstall(CALessBase): num_replicas = 1 - def setUp(self): - # Install the master for every test - self.export_pkcs12('ca1/server') - with open(self.pem_filename, 'w') as f: - f.write(self.get_pem('ca1')) - - result = self.install_server() + @classmethod + def install(cls, mh): + super(TestReplicaInstall, cls).install(mh) + cls.export_pkcs12('ca1/server') + with open(cls.pem_filename, 'w') as f: + f.write(cls.get_pem('ca1')) + result = cls.install_server() assert result.returncode == 0 - def tearDown(self): - # Uninstall both master and replica - replica = self.replicas[0] - tasks.kinit_admin(self.master) - self.uninstall_server(replica) - self.master.run_command(['ipa-replica-manage', 'del', replica.hostname, - '--force'], raiseonerr=False) - self.master.run_command(['ipa', 'host-del', replica.hostname], - raiseonerr=False) - - self.uninstall_server() + def teardown(func): + def wrapped(*args): + try: + func(*args) + finally: + # Uninstall replica + replica = args[0].replicas[0] + tasks.kinit_admin(args[0].master) + args[0].uninstall_server(replica) + args[0].master.run_command(['ipa-replica-manage', 'del', + replica.hostname, '--force'], + raiseonerr=False) + args[0].master.run_command(['ipa', 'host-del', + replica.hostname], + raiseonerr=False) + return wrapped + @teardown def test_no_certs(self): "IPA replica install without certificates" + result = self.prepare_replica(http_pkcs12_exists=False, + dirsrv_pkcs12_exists=False) + assert_error(result, "Cannot issue certificates: a CA is not installed." + " Use the --http-cert-file, --dirsrv-cert-file " + "options to provide custom certificates.") - result = self.master.run_command(['ipa-replica-prepare', - self.replicas[0].hostname], - raiseonerr=False) - assert result.returncode > 0 - assert ('Cannot issue certificates: a CA is not installed. Use the ' - '--http-cert-file, --dirsrv-cert-file options to provide ' - 'custom certificates.' in result.stderr_text), \ - result.stderr_text - + @teardown def test_nonexistent_http_pkcs12_file(self): "IPA replica install with non-existent HTTP PKCS#12 file" - self.export_pkcs12('ca1/replica', filename='dirsrv.p12') - + self.export_pkcs12('ca1/replica', filename='http.p12') result = self.prepare_replica(http_pkcs12='does_not_exist', - dirsrv_pkcs12='dirsrv.p12', - http_pkcs12_exists=False) + dirsrv_pkcs12='http.p12') assert_error(result, 'Failed to open does_not_exist') + @teardown def test_nonexistent_ds_pkcs12_file(self): "IPA replica install with non-existent DS PKCS#12 file" self.export_pkcs12('ca1/replica', filename='http.p12') result = self.prepare_replica(dirsrv_pkcs12='does_not_exist', - http_pkcs12='http.p12', - dirsrv_pkcs12_exists=False) + http_pkcs12='http.p12') assert_error(result, 'Failed to open does_not_exist') - def test_incorect_http_pin(self): + @pytest.mark.xfail(reason='freeipa ticket 5378') + @teardown + def test_incorrect_http_pin(self): "IPA replica install with incorrect HTTP PKCS#12 password" self.export_pkcs12('ca1/replica', filename='replica.p12') @@ -800,7 +855,9 @@ class TestReplicaInstall(CALessBase): assert result.returncode > 0 assert_error(result, 'incorrect password for pkcs#12 file replica.p12') - def test_incorect_ds_pin(self): + @pytest.mark.xfail(reason='freeipa ticket 5378') + @teardown + def test_incorrect_ds_pin(self): "IPA replica install with incorrect DS PKCS#12 password" self.export_pkcs12('ca1/replica', filename='replica.p12') @@ -808,6 +865,7 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(dirsrv_pin='bad<pin>') assert_error(result, 'incorrect password for pkcs#12 file replica.p12') + @teardown def test_http_unknown_ca(self): "IPA replica install with HTTP certificate issued by unknown CA" @@ -816,10 +874,11 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') - assert_error(result, - 'http.p12 is not signed by /etc/ipa/ca.crt, or the full ' - 'certificate chain is not present in the PKCS#12 file') + assert_error(result, 'Apache Server SSL certificate and' + ' Directory Server SSL certificate are not' + ' signed by the same CA certificate') + @teardown def test_ds_unknown_ca(self): "IPA replica install with DS certificate issued by unknown CA" @@ -829,10 +888,10 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'dirsrv.p12 is not signed by /etc/ipa/ca.crt, or the ' - 'full certificate chain is not present in the PKCS#12 ' - 'file') + 'Apache Server SSL certificate and Directory Server SSL' + ' certificate are not signed by the same CA certificate') + @teardown def test_invalid_http_cn(self): "IPA replica install with HTTP certificate with invalid CN" @@ -845,6 +904,7 @@ class TestReplicaInstall(CALessBase): 'The server certificate in http.p12 is not valid: ' 'invalid for server %s' % self.replicas[0].hostname) + @teardown def test_invalid_ds_cn(self): "IPA replica install with DS certificate with invalid CN" @@ -857,6 +917,7 @@ class TestReplicaInstall(CALessBase): 'The server certificate in dirsrv.p12 is not valid: ' 'invalid for server %s' % self.replicas[0].hostname) + @teardown def test_expired_http(self): "IPA replica install with expired HTTP certificate" @@ -870,6 +931,7 @@ class TestReplicaInstall(CALessBase): "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " 'expired.') + @teardown def test_expired_ds(self): "IPA replica install with expired DS certificate" @@ -883,6 +945,7 @@ class TestReplicaInstall(CALessBase): "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has " 'expired.') + @teardown def test_http_bad_usage(self): "IPA replica install with HTTP certificate with invalid key usage" @@ -895,6 +958,7 @@ class TestReplicaInstall(CALessBase): 'The server certificate in http.p12 is not valid: ' 'invalid for a SSL server') + @teardown def test_ds_bad_usage(self): "IPA replica install with DS certificate with invalid key usage" @@ -907,6 +971,7 @@ class TestReplicaInstall(CALessBase): 'The server certificate in dirsrv.p12 is not valid: ' 'invalid for a SSL server') + @teardown def test_revoked_http(self): "IPA replica install with revoked HTTP certificate" @@ -923,6 +988,7 @@ class TestReplicaInstall(CALessBase): assert result.returncode > 0 + @teardown def test_revoked_ds(self): "IPA replica install with revoked DS certificate" @@ -939,6 +1005,7 @@ class TestReplicaInstall(CALessBase): assert result.returncode > 0 + @teardown def test_http_intermediate_ca(self): "IPA replica install with HTTP certificate issued by intermediate CA" @@ -948,9 +1015,10 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert_error(result, - 'http.p12 is not signed by /etc/ipa/ca.crt, or the full ' - 'certificate chain is not present in the PKCS#12 file') + 'Apache Server SSL certificate and Directory Server SSL' + ' certificate are not signed by the same CA certificate') + @teardown def test_ds_intermediate_ca(self): "IPA replica install with DS certificate issued by intermediate CA" @@ -959,11 +1027,12 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') - assert_error(result, - 'dirsrv.p12 is not signed by /etc/ipa/ca.crt, or the ' - 'full certificate chain is not present in the PKCS#12 ' - 'file') + assert_error(result, 'Apache Server SSL certificate and' + ' Directory Server SSL certificate are not' + ' signed by the same CA certificate') + @pytest.mark.xfail(reason='freeipa ticket 5721') + @teardown def test_valid_certs(self): "IPA replica install with valid certificates" @@ -972,12 +1041,11 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(http_pkcs12='server.p12', dirsrv_pkcs12='server.p12') assert result.returncode == 0 + if self.domain_level > DOMAIN_LEVEL_0: + self.verify_installation() - result = self.install_replica() - assert result.returncode == 0 - - self.verify_installation() - + @pytest.mark.xfail(reason='freeipa ticket 5603') + @teardown def test_wildcard_http(self): "IPA replica install with wildcard HTTP certificate" @@ -987,12 +1055,11 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert result.returncode == 0 + if self.domain_level > DOMAIN_LEVEL_0: + self.verify_installation() - result = self.install_replica() - assert result.returncode == 0 - - self.verify_installation() - + @pytest.mark.xfail(reason='freeipa ticket 5603') + @teardown def test_wildcard_ds(self): "IPA replica install with wildcard DS certificate" @@ -1002,12 +1069,10 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert result.returncode == 0 + if self.domain_level > DOMAIN_LEVEL_0: + self.verify_installation() - result = self.install_replica() - assert result.returncode == 0 - - self.verify_installation() - + @teardown def test_http_san(self): "IPA replica install with HTTP certificate with SAN" @@ -1017,12 +1082,10 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert result.returncode == 0 + if self.domain_level > DOMAIN_LEVEL_0: + self.verify_installation() - result = self.install_replica() - assert result.returncode == 0 - - self.verify_installation() - + @teardown def test_ds_san(self): "IPA replica install with DS certificate with SAN" @@ -1032,12 +1095,10 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') assert result.returncode == 0 + if self.domain_level > DOMAIN_LEVEL_0: + self.verify_installation() - result = self.install_replica() - assert result.returncode == 0 - - self.verify_installation() - + @teardown def test_interactive_missing_http_pkcs_password(self): "IPA replica install with missing HTTP PKCS#12 password" @@ -1049,12 +1110,10 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(http_pin=None, unattended=False, stdin_text=stdin_text) assert result.returncode == 0 + if self.domain_level > DOMAIN_LEVEL_0: + self.verify_installation() - result = self.install_replica() - assert result.returncode == 0 - - self.verify_installation() - + @teardown def test_interactive_missing_ds_pkcs_password(self): "IPA replica install with missing DS PKCS#12 password" @@ -1066,12 +1125,11 @@ class TestReplicaInstall(CALessBase): result = self.prepare_replica(dirsrv_pin=None, unattended=False, stdin_text=stdin_text) assert result.returncode == 0 + if self.domain_level > DOMAIN_LEVEL_0: + self.verify_installation() - result = self.install_replica() - assert result.returncode == 0 - - self.verify_installation() - + @pytest.mark.xfail(reason='freeipa ticket 5789') + @teardown def test_no_http_password(self): "IPA replica install with empty HTTP password" @@ -1082,12 +1140,10 @@ class TestReplicaInstall(CALessBase): dirsrv_pkcs12='dirsrv.p12', http_pin='') assert result.returncode == 0 + if self.domain_level > DOMAIN_LEVEL_0: + self.verify_installation() - result = self.install_replica() - assert result.returncode == 0 - - self.verify_installation() - + @teardown def test_no_ds_password(self): "IPA replica install with empty DS password" @@ -1098,9 +1154,8 @@ class TestReplicaInstall(CALessBase): dirsrv_pkcs12='dirsrv.p12', dirsrv_pin='') assert result.returncode == 0 - - result = self.install_replica() - assert result.returncode == 0 + if self.domain_level > DOMAIN_LEVEL_0: + self.verify_installation() class TestClientInstall(CALessBase): @@ -1151,31 +1206,15 @@ class TestIPACommands(CALessBase): result = self.master.run_command(['ipa', command], raiseonerr=False) assert_error(result, "ipa: ERROR: unknown command '%s'" % command) - @pytest.mark.parametrize('command', ( - 'cert-status', - 'cert-show', - 'cert-find', - 'cert-revoke', - 'cert-remove-hold', - 'cert-status')) - def test_cert_commands_unavailable(self, command): - result = self.master.run_command(['ipa', command], raiseonerr=False) - assert_error(result, "ipa: ERROR: unknown command '%s'" % command) - - def test_cert_help_unavailable(self): - "Verify that cert plugin help is not available" - result = self.master.run_command(['ipa', 'help', 'cert'], - raiseonerr=False) - assert_error(result, - "ipa: ERROR: no command nor help topic 'cert'", - returncode=1) - @contextlib.contextmanager def host(self): "Context manager that adds and removes a host entry with a certificate" self.master.run_command(['ipa', 'host-add', self.test_hostname, '--force', '--certificate', self.client_pem]) + self.master.run_command(['ipa-getkeytab', '-s', self.master.hostname, + '-p' "host/%s" % self.test_hostname, + '-k', paths.IPA_KEYTAB]) try: yield finally: @@ -1189,6 +1228,10 @@ class TestIPACommands(CALessBase): self.master.run_command(['ipa', 'service-add', self.test_service, '--force', '--certificate', self.client_pem]) + self.master.run_command(['ipa-getkeytab', '-s', + self.master.hostname, + '-p', self.test_service, + '-k', paths.IPA_KEYTAB]) yield def test_service_mod_doesnt_revoke(self): @@ -1200,8 +1243,11 @@ class TestIPACommands(CALessBase): def test_service_disable_doesnt_revoke(self): "Verify that service-disable does not attempt to revoke certificate" with self.service(): - self.master.run_command(['ipa', 'service-disable', - self.test_service]) + result = self.master.run_command(['ipa', 'service-disable', + self.test_service], + raiseonerr=False) + assert(result.returncode == 0), ( + "Failed to disable ipa-service: %s" % result.stderr_text) def test_service_del_doesnt_revoke(self): "Verify that service-del does not attempt to revoke certificate" @@ -1229,7 +1275,7 @@ class TestIPACommands(CALessBase): class TestCertinstall(CALessBase): @classmethod def install(cls, mh): - super(TestCertinstall, cls).install() + super(TestCertinstall, cls).install(mh) cls.export_pkcs12('ca1/server') with open(cls.pem_filename, 'w') as f: @@ -1251,12 +1297,10 @@ class TestCertinstall(CALessBase): self.copy_cert(self.master, filename) if not args: args = ['ipa-server-certinstall', + '-p', self.master.config.dirman_password, '-%s' % mode, filename] if pin is not None: args += ['--pin', pin] - if mode == 'd': - args += ['--dirman-password', - self.master.config.dirman_password] return self.master.run_command(args, raiseonerr=False, stdin_text=stdin_text) @@ -1275,14 +1319,16 @@ class TestCertinstall(CALessBase): cert_exists=False) assert_error(result, 'Failed to open does_not_exist') - def test_incorect_http_pin(self): + @pytest.mark.xfail(reason='freeipa ticket 5378') + def test_incorrect_http_pin(self): "Install new HTTP certificate with incorrect PKCS#12 password" result = self.certinstall('w', 'ca1/server', pin='bad<pin>') assert_error(result, 'incorrect password for pkcs#12 file server.p12') - def test_incorect_dirsrv_pin(self): + @pytest.mark.xfail(reason='freeipa ticket 5378') + def test_incorrect_dirsrv_pin(self): "Install new DS certificate with incorrect PKCS#12 password" result = self.certinstall('d', 'ca1/server', pin='bad<pin>') @@ -1367,28 +1413,20 @@ class TestCertinstall(CALessBase): "Install new HTTP certificate issued by intermediate CA" result = self.certinstall('w', 'ca1/subca/server') - assert_error(result, - 'server.p12 is not signed by /etc/ipa/ca.crt, or the ' - 'full certificate chain is not present in the PKCS#12 ' - 'file') + assert result.returncode == 0, result.stderr_text def test_ds_intermediate_ca(self): "Install new DS certificate issued by intermediate CA" result = self.certinstall('d', 'ca1/subca/server') - assert_error(result, - 'server.p12 is not signed by /etc/ipa/ca.crt, or the ' - 'full certificate chain is not present in the PKCS#12 ' - 'file') + assert result.returncode == 0, result.stderr_text def test_self_signed(self): "Install new self-signed certificate" result = self.certinstall('w', 'server-selfsign') assert_error(result, - 'server.p12 is not signed by /etc/ipa/ca.crt, or the ' - 'full certificate chain is not present in the PKCS#12 ' - 'file') + 'The full certificate chain is not present in server.p12') def test_valid_http(self): "Install new valid HTTP certificate" @@ -1402,12 +1440,14 @@ class TestCertinstall(CALessBase): result = self.certinstall('d', 'ca1/server') assert result.returncode == 0 + @pytest.mark.xfail(reason='freeipa ticket 5603') def test_wildcard_http(self): "Install new wildcard HTTP certificate" result = self.certinstall('w', 'ca1/wildcard') assert result.returncode == 0 + @pytest.mark.xfail(reason='freeipa ticket 5603') def test_wildcard_ds(self): "Install new wildcard DS certificate" @@ -1463,7 +1503,7 @@ class TestCertinstall(CALessBase): '--http-pin', self.cert_password] result = self.certinstall('w', 'ca1/server', args=args) - assert result.returncode == 0 + assert_error(result, "no such option: --http-pin") def test_ds_old_options(self): "Install new valid DS certificate using pre-v3.3 CLI options" @@ -1476,4 +1516,4 @@ class TestCertinstall(CALessBase): result = self.certinstall('d', 'ca1/server', args=args, stdin_text=stdin_text) - assert result.returncode == 0 + assert_error(result, "no such option: --dirsrv-pin") -- 1.8.3.1
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
