--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From a33a5aea0f12f63d53ff773b3d5e615b1f582d7f Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 10 Aug 2016 10:29:59 +0200
Subject: [PATCH] Test for installing rules with service principals

https://fedorahosted.org/freeipa/ticket/6146
---
 .../test_integration/test_certs_in_idoverrides.py  | 82 ++++++++++++++++++++++
 1 file changed, 82 insertions(+)

diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py
index 9114c4f91cd6378acc53caa068b852ae15670d7a..b9eabdf36abff73d8cd5daab0a1ada2c4dffbca6 100644
--- a/ipatests/test_integration/test_certs_in_idoverrides.py
+++ b/ipatests/test_integration/test_certs_in_idoverrides.py
@@ -10,6 +10,88 @@ from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration.tasks import assert_error
 
 
+class TestRulesWithServicePrincipals(IntegrationTest):
+    """
+    https://fedorahosted.org/freeipa/ticket/6146
+    """
+
+    topology = 'star'
+    num_replicas = 0
+    service_certprofile = 'caIPAserviceCert'
+    caacl = 'test_caacl'
+    keytab = "replica.keytab"
+    csr = "my.csr"
+    csr_conf = "replica.cnf"
+
+    @classmethod
+    def prepare_config(cls):
+        template = """
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+commonName = %s
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = %s
+DNS.2 = %s
+EOF
+        """
+
+        contents = template % (cls.replica, cls.replica, cls.master.hostname)
+        cls.master.run_command("cat <<EOF > %s\n%s" % (cls.csr_conf, contents))
+
+    @classmethod
+    def install(cls, mh):
+        super(TestRulesWithServicePrincipals, cls).install(mh)
+        master = cls.master
+        tasks.kinit_admin(master)
+        cls.replica = "replica.%s" % master.domain.name
+        master.run_command(['ipa', 'host-add', cls.replica, '--force'])
+        cls.service_name = "svc/%s" % master.hostname
+        cls.replica_service_name = "svc/%s" % cls.replica
+        master.run_command("ipa service-add %s" % cls.service_name)
+        master.run_command("ipa service-add %s --force" %
+                           cls.replica_service_name)
+        master.run_command("ipa service-add-host %s --hosts %s" % (
+            cls.service_name, cls.replica))
+        master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl)
+        master.run_command("ipa caacl-add-host %s --hosts %s" % (cls.caacl,
+                                                                 cls.replica))
+        master.run_command("ipa caacl-add-service %s --services"
+                           " svc/`hostname`" % cls.caacl)
+        master.run_command("ipa-getkeytab -p host/%s@%s -k %s" % (
+            cls.replica, master.domain.realm, cls.keytab))
+        master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica))
+
+        # Prepare a CSR
+
+        cls.prepare_config()
+        stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica
+
+        master.run_command(['openssl', 'req', '-config', cls.csr_conf, '-new',
+                            '-out', cls.csr], stdin_text=stdin_text)
+
+    def test_rules_with_service_principals(self):
+        result = self.master.run_command(['ipa', 'cert-request', self.csr,
+                                          '--principal', "svc/%s@%s" % (
+                                              self.replica,
+                                              self.master.domain.realm),
+                                          '--profile-id',
+                                          self.service_certprofile],
+                                         raiseonerr=False)
+        assert(result.returncode == 0), (
+            'Failed to add a cert to custom certprofile')
+
+
 class TestCertsInIDOverrides(IntegrationTest):
     topology = "line"
     service_certprofile = 'caIPAserviceCert'
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to