Hi Martin,

The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later?


On 09/15/2016 09:49 AM, Martin Basti wrote:


On 14.09.2016 18:53, Sumit Bose wrote:
On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:

On 14.09.2016 17:53, Alexander Bokovoy wrote:
On Wed, 14 Sep 2016, Martin Basti wrote:

On 14.09.2016 17:41, Alexander Bokovoy wrote:
On Wed, 14 Sep 2016, Martin Basti wrote:
1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?
You cannot add non-AD user to 'default trust view', so you will
not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID override in that
one.

Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?
You need to log into the system with a certificate...
Is this possible from test? We are logged remotely as root, is there any
cmdline util which allows us to test certificate against AD user?

You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate. This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate .

HTH

bye,
Sumit

Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to test_idviews.py. We
can add more testcases for idviews there later

Martin^2
Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 1a0039b64023b0bb3c9289128413b4ccef489ec4 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 6 Sep 2016 13:55:16 +0200
Subject: [PATCH] Automated test for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 .../test_integration/test_idviews.py  | 121 +++++++++++++++++++++
 1 file changed, 121 insertions(+)
 create mode 100644 ipatests/test_integration/test_idviews.py

diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index 0000000000000000000000000000000000000000..762ce71a5ed8883b2a2d5bc4185b5ffcb52a4edb
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,121 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import assert_error
+from ipatests.test_integration.env_config import get_global_config
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+    topology = "line"
+    service_certprofile = 'caIPAserviceCert'
+    num_ad_domains = 1
+    user_certprofile = 'caIPAuserCert'
+    adview = 'Default Trust View'
+    cert_re = re.compile('Certificate: (?P<cert>.*?)\\s+.*')
+    ad = config.ad_domains[0].ads[0]
+    ad_domain = ad.domain.name
+    aduser = "testuser@%s" % ad_domain
+    adcert1 = 'MyCert1'
+    adcert2 = 'MyCert2'
+    adcert1_file = adcert1 + '.crt'
+    adcert2_file = adcert2 + '.crt'
+
+    @classmethod
+    def uninstall(cls, mh):
+        super(TestCertsInIDOverrides, cls).uninstall(mh)
+        cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+    @classmethod
+    def install(cls, mh):
+        super(TestCertsInIDOverrides, cls).install(mh)
+        master = cls.master
+
+        # AD-related stuff
+        tasks.install_adtrust(master)
+        tasks.sync_time(master, cls.ad)
+        tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+                                      extra_args=['--range-type',
+                                                  'ipa-ad-trust'])
+
+        tasks.sync_time(cls.master, cls.ad)
+        master.run_command(['ipa', 'certprofile-show', cls.service_certprofile,
+                            "--out=%s.txt" % cls.user_certprofile])
+        master.run_command("sed -i \"s/profileId=%s/profileId=%s/\" %s.txt" % (
+            cls.service_certprofile, cls.user_certprofile,
+            cls.user_certprofile)
+        )
+        master.run_command(['ipa', 'certprofile-import', cls.user_certprofile,
+                            "--file=%s.txt" % cls.user_certprofile,
+                            '--store=true', '--desc="User Certs"'])
+
+        cls.reqdir = os.path.join(master.config.test_dir, "certs")
+        cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+        cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+        cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+        # Create a NSS database folder
+        master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
+        # Create an empty password file
+        master.run_command(["touch", cls.pwname], raiseonerr=False)
+
+        # Initialize NSS database
+        tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
+        # Now generate self-signed certs for a windows user
+        stdin_text = string.digits+string.letters[2:] + '\n'
+        tasks.run_certutil(master, ['-S', '-s',
+                                    "cn=%s,dc=ad,dc=test" % cls.adcert1, '-n',
+                                    cls.adcert1, '-x', '-t', 'CT,C,C', '-v',
+                                    '120', '-m', '1234'],
+                           cls.reqdir, stdin=stdin_text)
+        tasks.run_certutil(master, ['-S', '-s',
+                                    "cn=%s,dc=ad,dc=test" % cls.adcert2, '-n',
+                                    cls.adcert2, '-x', '-t', 'CT,C,C', '-v',
+                                    '120', '-m', '1234'],
+                           cls.reqdir, stdin=stdin_text)
+
+        # Export the previously generated cert
+        tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>',
+                                    cls.adcert1_file], cls.reqdir)
+        tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>',
+                                    cls.adcert2_file], cls.reqdir)
+        cls.cert1_base64 = cls.master.run_command(
+            "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert1_file
+            ).stdout_text
+        cls.cert2_base64 = cls.master.run_command(
+            "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert2_file
+            ).stdout_text
+
+    def test_certs_in_idoverrides_ad_users(self):
+        master = self.master
+        master.run_command(['ipa', 'idoverrideuser-add',
+                            self.adview, self.aduser])
+        master.run_command(['ipa', 'idoverrideuser-add-cert',
+                            self.adview, self.aduser,
+                            "--certificate=%s" % self.cert1_base64])
+        result = master.run_command(['ipa', 'idoverrideuser-add-cert',
+                                     self.adview, self.aduser,
+                                     "--certificate=%s" % self.cert1_base64],
+                                    raiseonerr=False)
+        assert_error(result, "already contains one or more values")
+
+        result1 = master.run_command(['ipa', 'idoverrideuser-show',
+                                      self.adview, self.aduser])
+        assert(self.cert1_base64 in result1.stdout_text), (
+            "idoverrideuser-show does not show the user certificate")
+        master.run_command(['ipa', 'idoverrideuser-add-cert',
+                            self.adview, self.aduser,
+                            "--certificate=%s" % self.cert2_base64])
+        result2 = master.run_command(['ipa', 'idoverrideuser-show',
+                                      self.adview, self.aduser])
+        assert(self.cert2_base64 in result2.stdout_text), (
+            "idoverrideuser-show does not show all user certificates")
+        master.run_command(['ipa', 'idoverrideuser-remove-cert',
+                            self.adview, self.aduser,
+                            "--certificate=%s" % self.cert2_base64])
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to