URL: https://github.com/freeipa/freeipa/pull/224
Author: ofayans
Title: #224: Integration tests for certs in idoverrides
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/224/head:pr224
git checkout pr224
From b26d7b67ff1ebcf81231376318249554ec339d55 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 6 Sep 2016 12:39:45 +0200
Subject: [PATCH 1/3] Added interface to certutil
Added generic method to run certutil with arbitrary set of paramenters
---
ipatests/test_integration/tasks.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..dcf9ab8 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1207,6 +1207,13 @@ def run_server_del(host, server_to_delete, force=False,
return host.run_command(args, raiseonerr=False)
+def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True):
+ new_args = [paths.CERTUTIL, "-d", reqdir]
+ new_args = " ".join(new_args + args)
+ return host.run_command(new_args, raiseonerr=raiseonerr,
+ stdin_text=stdin)
+
+
def assert_error(result, stderr_text, returncode=None):
"Assert that `result` command failed and its stderr contains `stderr_text`"
assert stderr_text in result.stderr_text, result.stderr_text
From a7e853457a012a9f587f1af0cc92f121cf9a1fbd Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 10 Nov 2016 10:32:41 +0100
Subject: [PATCH 2/3] Test: integration tests for certs in idoverrides feature
https://fedorahosted.org/freeipa/ticket/6005
---
ipatests/test_integration/test_idviews.py | 156 ++++++++++++++++++++++++++++++
1 file changed, 156 insertions(+)
create mode 100644 ipatests/test_integration/test_idviews.py
diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index 0000000..c35997c
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,156 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.env_config import get_global_config
+from ipaplatform.paths import paths
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+ topology = "line"
+ num_ad_domains = 1
+ adview = 'Default Trust View'
+ cert_re = re.compile('Certificate: (?P<cert>.*?)\\s+.*')
+ adcert1 = 'MyCert1'
+ adcert2 = 'MyCert2'
+ adcert1_file = adcert1 + '.crt'
+ adcert2_file = adcert2 + '.crt'
+
+ @classmethod
+ def uninstall(cls, mh):
+ super(TestCertsInIDOverrides, cls).uninstall(mh)
+ cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+ @classmethod
+ def install(cls, mh):
+ super(TestCertsInIDOverrides, cls).install(mh)
+ cls.ad = config.ad_domains[0].ads[0]
+ cls.ad_domain = cls.ad.domain.name
+ cls.aduser = "testuser@%s" % cls.ad_domain
+
+ master = cls.master
+ # A setup for test_dbus_user_lookup
+ master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
+ raiseonerr=False)
+ # The tasks.modify_sssd_conf way did not work because
+ # sssd_domain.set_option knows nothing about 'services' parameter of
+ # the sssd config file. Therefore I am using sed approach
+ master.run_command(
+ "sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF)
+ master.run_command(
+ "sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False)
+ master.run_command(['systemctl', 'restart', 'sssd.service'])
+ # End of setup for test_dbus_user_lookup
+
+ # AD-related stuff
+ tasks.install_adtrust(master)
+ tasks.sync_time(master, cls.ad)
+ tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+ extra_args=['--range-type',
+ 'ipa-ad-trust'])
+
+ cls.reqdir = os.path.join(master.config.test_dir, "certs")
+ cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+ cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+ cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+ # Create a NSS database folder
+ master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
+ # Create an empty password file
+ master.run_command(["touch", cls.pwname], raiseonerr=False)
+
+ # Initialize NSS database
+ tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
+ # Now generate self-signed certs for a windows user
+ stdin_text = string.digits+string.letters[2:] + '\n'
+ tasks.run_certutil(master, ['-S', '-s',
+ "cn=%s,dc=ad,dc=test" % cls.adcert1, '-n',
+ cls.adcert1, '-x', '-t', 'CT,C,C', '-v',
+ '120', '-m', '1234'],
+ cls.reqdir, stdin=stdin_text)
+ tasks.run_certutil(master, ['-S', '-s',
+ "cn=%s,dc=ad,dc=test" % cls.adcert2, '-n',
+ cls.adcert2, '-x', '-t', 'CT,C,C', '-v',
+ '120', '-m', '1234'],
+ cls.reqdir, stdin=stdin_text)
+
+ # Export the previously generated cert
+ tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>',
+ cls.adcert1_file], cls.reqdir)
+ tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>',
+ cls.adcert2_file], cls.reqdir)
+ cls.cert1_base64 = cls.master.run_command(
+ "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert1_file
+ ).stdout_text
+ cls.cert2_base64 = cls.master.run_command(
+ "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert2_file
+ ).stdout_text
+ cls.cert1_pem = cls.master.run_command(
+ "openssl x509 -in %s -outform pem" % cls.adcert1_file
+ ).stdout_text
+ cls.cert2_pem = cls.master.run_command(
+ "openssl x509 -in %s -outform pem" % cls.adcert2_file
+ ).stdout_text
+
+ def test_certs_in_idoverrides_ad_users(self):
+ """
+ http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan
+ #Test_case:_Manipulate_certificate_in_ID_override_entry
+ """
+ master = self.master
+ master.run_command(['ipa', 'idoverrideuser-add',
+ self.adview, self.aduser])
+ master.run_command(['ipa', 'idoverrideuser-add-cert',
+ self.adview, self.aduser,
+ "--certificate=%s" % self.cert1_base64])
+ master.run_command(['ipa', 'idoverrideuser-add-cert',
+ self.adview, self.aduser,
+ "--certificate=%s" % self.cert2_base64])
+ result = master.run_command(['ipa', 'idoverrideuser-show',
+ self.adview, self.aduser])
+ assert(self.cert1_base64 in result.stdout_text and
+ self.cert2_base64 in result.stdout_text), (
+ "idoverrideuser-show does not show all user certificates")
+ master.run_command(['ipa', 'idoverrideuser-remove-cert',
+ self.adview, self.aduser,
+ "--certificate=%s" % self.cert2_base64])
+
+ def test_dbus_user_lookup(self):
+ """
+ http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan
+ #Test_case:_User_lookup_by_certificate
+ """
+
+ master = self.master
+ userpath_re = re.compile('.*object path "(.*?)".*')
+
+ result0 = master.run_command([
+ 'dbus-send', '--system', '--print-reply',
+ '--dest=org.freedesktop.sssd.infopipe',
+ '/org/freedesktop/sssd/infopipe/Users',
+ 'org.freedesktop.sssd.infopipe.Users.FindByCertificate',
+ "string:%s" % self.cert1_pem])
+ assert("object path" in result0.stdout_text), (
+ "command output did not contain expected"
+ "string:\n\n%s" % result0.stdout_text)
+ userpath = userpath_re.findall(result0.stdout_text)[0]
+ result1 = master.run_command(
+ "dbus-send --system --print-reply"
+ " --dest=org.freedesktop.sssd.infopipe"
+ " %s org.freedesktop.DBus.Properties.Get"
+ " string:\"org.freedesktop.sssd.infopipe.Users.User\""
+ " string:\"name\"" % userpath, raiseonerr=False)
+ assert(self.aduser in result1.stdout_text)
+ result2 = master.run_command(
+ "dbus-send --system --print-reply"
+ " --dest=org.freedesktop.sssd.infopipe"
+ " %s org.freedesktop.DBus.Properties.GetAll"
+ " string:\"org.freedesktop.sssd.infopipe.Users.User\"" % userpath
+ )
+ assert('dict entry' in result2.stdout_text)
From d98fc3bcc214f04f52075cf3fcacd1f17ae4fe2c Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 25 Oct 2016 11:19:05 +0200
Subject: [PATCH 3/3] Test for installing rules with service principals
https://fedorahosted.org/freeipa/ticket/6481
---
ipatests/test_integration/test_idviews.py | 82 +++++++++++++++++++++++++++++++
1 file changed, 82 insertions(+)
diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
index c35997c..9df8c0a 100644
--- a/ipatests/test_integration/test_idviews.py
+++ b/ipatests/test_integration/test_idviews.py
@@ -154,3 +154,85 @@ def test_dbus_user_lookup(self):
" string:\"org.freedesktop.sssd.infopipe.Users.User\"" % userpath
)
assert('dict entry' in result2.stdout_text)
+
+
+class TestRulesWithServicePrincipals(IntegrationTest):
+ """
+ https://fedorahosted.org/freeipa/ticket/6146
+ """
+
+ topology = 'star'
+ num_replicas = 0
+ service_certprofile = 'caIPAserviceCert'
+ caacl = 'test_caacl'
+ keytab = "replica.keytab"
+ csr = "my.csr"
+ csr_conf = "replica.cnf"
+
+ @classmethod
+ def prepare_config(cls):
+ template = """
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+commonName = %s
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = %s
+DNS.2 = %s
+EOF
+ """
+
+ contents = template % (cls.replica, cls.replica, cls.master.hostname)
+ cls.master.run_command("cat <<EOF > %s\n%s" % (cls.csr_conf, contents))
+
+ @classmethod
+ def install(cls, mh):
+ super(TestRulesWithServicePrincipals, cls).install(mh)
+ master = cls.master
+ tasks.kinit_admin(master)
+ cls.replica = "replica.%s" % master.domain.name
+ master.run_command(['ipa', 'host-add', cls.replica, '--force'])
+ cls.service_name = "svc/%s" % master.hostname
+ cls.replica_service_name = "svc/%s" % cls.replica
+ master.run_command("ipa service-add %s" % cls.service_name)
+ master.run_command("ipa service-add %s --force" %
+ cls.replica_service_name)
+ master.run_command("ipa service-add-host %s --hosts %s" % (
+ cls.service_name, cls.replica))
+ master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl)
+ master.run_command("ipa caacl-add-host %s --hosts %s" % (cls.caacl,
+ cls.replica))
+ master.run_command("ipa caacl-add-service %s --services"
+ " svc/`hostname`" % cls.caacl)
+ master.run_command("ipa-getkeytab -p host/%s@%s -k %s" % (
+ cls.replica, master.domain.realm, cls.keytab))
+ master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica))
+
+ # Prepare a CSR
+
+ cls.prepare_config()
+ stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica
+
+ master.run_command(['openssl', 'req', '-config', cls.csr_conf, '-new',
+ '-out', cls.csr], stdin_text=stdin_text)
+
+ def test_rules_with_service_principals(self):
+ result = self.master.run_command(['ipa', 'cert-request', self.csr,
+ '--principal', "svc/%s@%s" % (
+ self.replica,
+ self.master.domain.realm),
+ '--profile-id',
+ self.service_certprofile],
+ raiseonerr=False)
+ assert(result.returncode == 0), (
+ 'Failed to add a cert to custom certprofile')
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
