URL: https://github.com/freeipa/freeipa/pull/224 Author: ofayans Title: #224: Integration tests for certs in idoverrides Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/224/head:pr224 git checkout pr224
From c0faf1d8263c11d110a63b912c82a74e2f04a4d8 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Tue, 6 Sep 2016 12:39:45 +0200 Subject: [PATCH 1/3] Added interface to certutil --- ipatests/test_integration/tasks.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index df5e408..dcf9ab8 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -1207,6 +1207,13 @@ def run_server_del(host, server_to_delete, force=False, return host.run_command(args, raiseonerr=False) +def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True): + new_args = [paths.CERTUTIL, "-d", reqdir] + new_args = " ".join(new_args + args) + return host.run_command(new_args, raiseonerr=raiseonerr, + stdin_text=stdin) + + def assert_error(result, stderr_text, returncode=None): "Assert that `result` command failed and its stderr contains `stderr_text`" assert stderr_text in result.stderr_text, result.stderr_text From 8967612df5461669862f2609bdf69ecf7d1a0901 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Thu, 10 Nov 2016 10:32:41 +0100 Subject: [PATCH 2/3] Test: integration tests for certs in idoverrides feature https://fedorahosted.org/freeipa/ticket/6005 --- ipatests/test_integration/test_idviews.py | 156 ++++++++++++++++++++++++++++++ 1 file changed, 156 insertions(+) create mode 100644 ipatests/test_integration/test_idviews.py diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py new file mode 100644 index 0000000..c35997c --- /dev/null +++ b/ipatests/test_integration/test_idviews.py @@ -0,0 +1,156 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import os +import re +import string +from ipatests.test_integration import tasks +from ipatests.test_integration.base import IntegrationTest +from ipatests.test_integration.env_config import get_global_config +from ipaplatform.paths import paths +config = get_global_config() + + +class TestCertsInIDOverrides(IntegrationTest): + topology = "line" + num_ad_domains = 1 + adview = 'Default Trust View' + cert_re = re.compile('Certificate: (?P<cert>.*?)\\s+.*') + adcert1 = 'MyCert1' + adcert2 = 'MyCert2' + adcert1_file = adcert1 + '.crt' + adcert2_file = adcert2 + '.crt' + + @classmethod + def uninstall(cls, mh): + super(TestCertsInIDOverrides, cls).uninstall(mh) + cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False) + + @classmethod + def install(cls, mh): + super(TestCertsInIDOverrides, cls).install(mh) + cls.ad = config.ad_domains[0].ads[0] + cls.ad_domain = cls.ad.domain.name + cls.aduser = "testuser@%s" % cls.ad_domain + + master = cls.master + # A setup for test_dbus_user_lookup + master.run_command(['dnf', 'install', '-y', 'sssd-dbus'], + raiseonerr=False) + # The tasks.modify_sssd_conf way did not work because + # sssd_domain.set_option knows nothing about 'services' parameter of + # the sssd config file. Therefore I am using sed approach + master.run_command( + "sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF) + master.run_command( + "sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False) + master.run_command(['systemctl', 'restart', 'sssd.service']) + # End of setup for test_dbus_user_lookup + + # AD-related stuff + tasks.install_adtrust(master) + tasks.sync_time(master, cls.ad) + tasks.establish_trust_with_ad(cls.master, cls.ad_domain, + extra_args=['--range-type', + 'ipa-ad-trust']) + + cls.reqdir = os.path.join(master.config.test_dir, "certs") + cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr") + cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr") + cls.pwname = os.path.join(cls.reqdir, "pwd") + + # Create a NSS database folder + master.run_command(['mkdir', cls.reqdir], raiseonerr=False) + # Create an empty password file + master.run_command(["touch", cls.pwname], raiseonerr=False) + + # Initialize NSS database + tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir) + # Now generate self-signed certs for a windows user + stdin_text = string.digits+string.letters[2:] + '\n' + tasks.run_certutil(master, ['-S', '-s', + "cn=%s,dc=ad,dc=test" % cls.adcert1, '-n', + cls.adcert1, '-x', '-t', 'CT,C,C', '-v', + '120', '-m', '1234'], + cls.reqdir, stdin=stdin_text) + tasks.run_certutil(master, ['-S', '-s', + "cn=%s,dc=ad,dc=test" % cls.adcert2, '-n', + cls.adcert2, '-x', '-t', 'CT,C,C', '-v', + '120', '-m', '1234'], + cls.reqdir, stdin=stdin_text) + + # Export the previously generated cert + tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', + cls.adcert1_file], cls.reqdir) + tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', + cls.adcert2_file], cls.reqdir) + cls.cert1_base64 = cls.master.run_command( + "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert1_file + ).stdout_text + cls.cert2_base64 = cls.master.run_command( + "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert2_file + ).stdout_text + cls.cert1_pem = cls.master.run_command( + "openssl x509 -in %s -outform pem" % cls.adcert1_file + ).stdout_text + cls.cert2_pem = cls.master.run_command( + "openssl x509 -in %s -outform pem" % cls.adcert2_file + ).stdout_text + + def test_certs_in_idoverrides_ad_users(self): + """ + http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan + #Test_case:_Manipulate_certificate_in_ID_override_entry + """ + master = self.master + master.run_command(['ipa', 'idoverrideuser-add', + self.adview, self.aduser]) + master.run_command(['ipa', 'idoverrideuser-add-cert', + self.adview, self.aduser, + "--certificate=%s" % self.cert1_base64]) + master.run_command(['ipa', 'idoverrideuser-add-cert', + self.adview, self.aduser, + "--certificate=%s" % self.cert2_base64]) + result = master.run_command(['ipa', 'idoverrideuser-show', + self.adview, self.aduser]) + assert(self.cert1_base64 in result.stdout_text and + self.cert2_base64 in result.stdout_text), ( + "idoverrideuser-show does not show all user certificates") + master.run_command(['ipa', 'idoverrideuser-remove-cert', + self.adview, self.aduser, + "--certificate=%s" % self.cert2_base64]) + + def test_dbus_user_lookup(self): + """ + http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan + #Test_case:_User_lookup_by_certificate + """ + + master = self.master + userpath_re = re.compile('.*object path "(.*?)".*') + + result0 = master.run_command([ + 'dbus-send', '--system', '--print-reply', + '--dest=org.freedesktop.sssd.infopipe', + '/org/freedesktop/sssd/infopipe/Users', + 'org.freedesktop.sssd.infopipe.Users.FindByCertificate', + "string:%s" % self.cert1_pem]) + assert("object path" in result0.stdout_text), ( + "command output did not contain expected" + "string:\n\n%s" % result0.stdout_text) + userpath = userpath_re.findall(result0.stdout_text)[0] + result1 = master.run_command( + "dbus-send --system --print-reply" + " --dest=org.freedesktop.sssd.infopipe" + " %s org.freedesktop.DBus.Properties.Get" + " string:\"org.freedesktop.sssd.infopipe.Users.User\"" + " string:\"name\"" % userpath, raiseonerr=False) + assert(self.aduser in result1.stdout_text) + result2 = master.run_command( + "dbus-send --system --print-reply" + " --dest=org.freedesktop.sssd.infopipe" + " %s org.freedesktop.DBus.Properties.GetAll" + " string:\"org.freedesktop.sssd.infopipe.Users.User\"" % userpath + ) + assert('dict entry' in result2.stdout_text) From 190e108806aa27a1d20921da811334f27dc74137 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Tue, 25 Oct 2016 11:19:05 +0200 Subject: [PATCH 3/3] Test for installing rules with service principals https://fedorahosted.org/freeipa/ticket/6481 --- ipatests/test_integration/test_idviews.py | 82 +++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py index c35997c..9df8c0a 100644 --- a/ipatests/test_integration/test_idviews.py +++ b/ipatests/test_integration/test_idviews.py @@ -154,3 +154,85 @@ def test_dbus_user_lookup(self): " string:\"org.freedesktop.sssd.infopipe.Users.User\"" % userpath ) assert('dict entry' in result2.stdout_text) + + +class TestRulesWithServicePrincipals(IntegrationTest): + """ + https://fedorahosted.org/freeipa/ticket/6146 + """ + + topology = 'star' + num_replicas = 0 + service_certprofile = 'caIPAserviceCert' + caacl = 'test_caacl' + keytab = "replica.keytab" + csr = "my.csr" + csr_conf = "replica.cnf" + + @classmethod + def prepare_config(cls): + template = """ +req_extensions = v3_req +distinguished_name = req_distinguished_name + +[req_distinguished_name] +commonName = %s + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = %s +DNS.2 = %s +EOF + """ + + contents = template % (cls.replica, cls.replica, cls.master.hostname) + cls.master.run_command("cat <<EOF > %s\n%s" % (cls.csr_conf, contents)) + + @classmethod + def install(cls, mh): + super(TestRulesWithServicePrincipals, cls).install(mh) + master = cls.master + tasks.kinit_admin(master) + cls.replica = "replica.%s" % master.domain.name + master.run_command(['ipa', 'host-add', cls.replica, '--force']) + cls.service_name = "svc/%s" % master.hostname + cls.replica_service_name = "svc/%s" % cls.replica + master.run_command("ipa service-add %s" % cls.service_name) + master.run_command("ipa service-add %s --force" % + cls.replica_service_name) + master.run_command("ipa service-add-host %s --hosts %s" % ( + cls.service_name, cls.replica)) + master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl) + master.run_command("ipa caacl-add-host %s --hosts %s" % (cls.caacl, + cls.replica)) + master.run_command("ipa caacl-add-service %s --services" + " svc/`hostname`" % cls.caacl) + master.run_command("ipa-getkeytab -p host/%s@%s -k %s" % ( + cls.replica, master.domain.realm, cls.keytab)) + master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica)) + + # Prepare a CSR + + cls.prepare_config() + stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica + + master.run_command(['openssl', 'req', '-config', cls.csr_conf, '-new', + '-out', cls.csr], stdin_text=stdin_text) + + def test_rules_with_service_principals(self): + result = self.master.run_command(['ipa', 'cert-request', self.csr, + '--principal', "svc/%s@%s" % ( + self.replica, + self.master.domain.realm), + '--profile-id', + self.service_certprofile], + raiseonerr=False) + assert(result.returncode == 0), ( + 'Failed to add a cert to custom certprofile')
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code