def test_sign_smime_csr_full_principal(self, smime_profile, smime_user):
     csr = generate_user_csr(smime_user)
     smime_user_principal = '@'.join((smime_user, api.env.realm))
     with change_principal(smime_user, SMIME_USER_PW):
         api.Command.cert_request(csr,
                                  principal=smime_user_principal,
                                  profile_id=smime_profile.name)
 def test_sign_smime_csr(self, smime_profile, smime_user):
     csr = generate_user_csr(smime_user)
     with change_principal(smime_user, SMIME_USER_PW):
         with pytest.raises(errors.CertificateOperationError):
             api.Command.cert_request(csr,
                                      principal=smime_user,
                                      profile_id=smime_profile.name)
 def test_sign_smime_csr(self, smime_profile, smime_user, smime_signing_ca):
     csr = generate_user_csr(smime_user)
     with change_principal(smime_user, SMIME_USER_PW):
         api.Command.cert_request(csr,
                                  principal=smime_user,
                                  profile_id=smime_profile.name,
                                  cacn=smime_signing_ca.name)
 def test_signing_with_disabled_acl(self, smime_acl, smime_profile,
                                    smime_user):
     csr = generate_user_csr(smime_user)
     with change_principal(smime_user, SMIME_USER_PW):
         with pytest.raises(errors.ACIError):
             api.Command.cert_request(
                 csr, profile_id=smime_profile.name,
                 principal=smime_user)
 def test_signing_with_disabled_acl(self, smime_acl, smime_profile,
                                    smime_user):
     csr = generate_user_csr(smime_user)
     with change_principal(smime_user, SMIME_USER_PW):
         with pytest.raises(errors.ACIError):
             api.Command.cert_request(csr,
                                      profile_id=smime_profile.name,
                                      principal=smime_user)
 def test_sign_smime_csr_full_principal(
         self, smime_profile, smime_user, smime_signing_ca):
     csr = generate_user_csr(smime_user)
     smime_user_principal = '@'.join((smime_user, api.env.realm))
     with change_principal(smime_user, SMIME_USER_PW):
         api.Command.cert_request(csr, principal=smime_user_principal,
                                  profile_id=smime_profile.name,
                                  cacn=smime_signing_ca.name)
 def test_request_cert_with_SAN_matching_principal_alias(
         self, santest_subca, santest_host_1, santest_service_host_1,
         santest_csr):
     with host_keytab(santest_host_1.name) as keytab_filename:
         with change_principal(santest_host_1.attrs['krbcanonicalname'][0],
                               keytab=keytab_filename):
             api.Command.cert_request(santest_csr,
                                      principal=santest_service_host_1.name,
                                      cacn=santest_subca.name)
Beispiel #8
0
 def test_managed_service(self, managing_host, managed_service):
     """ Add a host and then add a service as a host
         Finally, remove the service as a host """
     managing_host.ensure_exists()
     with host_keytab(managing_host.name) as keytab_filename:
         with change_principal(managing_host.attrs['krbcanonicalname'][0],
                               keytab=keytab_filename):
             managed_service.create()
             managed_service.delete()
    def test_verify_cert_issuer_dn_is_subca(
            self, smime_profile, smime_user, smime_signing_ca):
        csr = generate_user_csr(smime_user)
        smime_user_principal = '@'.join((smime_user, api.env.realm))
        with change_principal(smime_user, SMIME_USER_PW):
            cert_info = api.Command.cert_request(
                csr, principal=smime_user_principal,
                profile_id=smime_profile.name, cacn=smime_signing_ca.name)

        assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn
Beispiel #10
0
    def __enter__(self):
        self.returned = False
        self.value = None

        self.change_principal_cm = change_principal(self.user, self.password)
        self.change_principal_cm.__enter__()  # pylint: disable=no-member

        if self.exception:
            self.assert_raises_cm = pytest.raises(self.exception)
            self.assert_raises_cm.__enter__()

        return self
    def test_request_cert_with_additional_host(
            self, santest_subca, santest_host_1, santest_host_2,
            santest_service_host_1, santest_csr):

        with host_keytab(santest_host_1.name) as keytab_filename:
            with change_principal(santest_host_1.attrs['krbcanonicalname'][0],
                                  keytab=keytab_filename):
                api.Command.cert_request(
                    santest_csr,
                    principal=santest_service_host_1.name,
                    cacn=santest_subca.name
                )
Beispiel #12
0
    def __enter__(self):
        self.returned = False
        self.value = None

        self.change_principal_cm = change_principal(self.user, self.password)
        self.change_principal_cm.__enter__()  # pylint: disable=no-member

        if self.exception:
            self.assert_raises_cm = pytest.raises(self.exception)
            self.assert_raises_cm.__enter__()

        return self
    def test_request_cert_with_not_allowed_SAN(self, santest_subca,
                                               santest_host_1,
                                               santest_service_host_1,
                                               santest_csr):

        with host_keytab(santest_host_1.name) as keytab_filename:
            with change_principal(santest_host_1.attrs['krbcanonicalname'][0],
                                  keytab=keytab_filename):
                with pytest.raises(errors.NotFound):
                    api.Command.cert_request(
                        santest_csr,
                        principal=santest_service_host_1.name,
                        cacn=santest_subca.name)
Beispiel #14
0
 def test_whoami_kerberos_services(self, krb_host, krb_service):
     """
     Testing whoami as a kerberos service
     """
     krb_service.ensure_exists()
     with get_entity_keytab(krb_service.name, '-r') as keytab:
         with change_principal(krb_service.attrs['krbcanonicalname'][0],
                               keytab=keytab):
             result = api.Command.whoami()
             expected = {u'object': u'service',
                         u'command': u'service_show/1',
                         u'arguments': (krb_service.name,)}
             assert_deepequal(expected, result)
    def test_request_cert_with_additional_host(self, santest_subca,
                                               santest_host_1, santest_host_2,
                                               santest_service_host_1,
                                               santest_csr):

        with host_keytab(santest_host_1.name) as keytab_filename:
            with change_principal(santest_host_1.attrs['krbcanonicalname'][0],
                                  keytab=keytab_filename):
                with pytest.raises(errors.ACIError):
                    api.Command.cert_request(
                        santest_csr,
                        principal=santest_service_host_1.name,
                        cacn=santest_subca.name)
    def test_request_cert_with_not_allowed_SAN(
            self, santest_subca, santest_host_1, santest_host_2,
            santest_service_host_1, santest_csr):

        with host_keytab(santest_host_1.name) as keytab_filename:
            with change_principal(santest_host_1.attrs['krbcanonicalname'][0],
                                  keytab=keytab_filename):
                with pytest.raises(errors.ACIError):
                    api.Command.cert_request(
                        santest_csr,
                        principal=santest_service_host_1.name,
                        cacn=santest_subca.name
                    )
Beispiel #17
0
 def test_whoami_hosts(self, krb_host):
     """
     Testing whoami as a host
     """
     krb_host.ensure_exists()
     with host_keytab(krb_host.name) as keytab_filename:
         with change_principal(krb_host.attrs['krbcanonicalname'][0],
                               keytab=keytab_filename):
             result = api.Command.whoami()
             expected = {u'object': u'host',
                         u'command': u'host_show/1',
                         u'arguments': (krb_host.fqdn,)}
             assert_deepequal(expected, result)
Beispiel #18
0
    def test_delete(self, globalCfg, userCfg, allowDelLast, user):
        """
        Test the deletion of the last otp token

        The user auth type can be defined at a global level, or
        per-user if the override is not disabled.
        Depending on the resulting setting, the deletion of last token
        is allowed or forbidden.
        """
        # Save current global config
        result = api.Command.config_show()
        current_globalCfg = result.get('ipauserauthtype', None)

        try:
            # Set the global config for the test
            api.Command.config_mod(ipauserauthtype=globalCfg)
        except errors.EmptyModlist:
            pass

        try:
            user.ensure_exists()
            api.Command.user_mod(user.name, userpassword=user_password)
            unlock_principal_password(user.name,
                                      user_password, user_password)
            # Set the user config for the test
            api.Command.user_mod(user.name, ipauserauthtype=userCfg)

            # Connect as user, create and delete the token
            with change_principal(user.name, user_password):
                api.Command.otptoken_add(u'lastotp', description=u'last otp',
                                         ipatokenowner=user.name)
                if allowDelLast:
                    # We are expecting the del command to succeed
                    api.Command.otptoken_del(u'lastotp')
                else:
                    # We are expecting the del command to fail
                    with pytest.raises(errors.DatabaseError):
                        api.Command.otptoken_del(u'lastotp')

        finally:
            # Make sure the token is removed
            try:
                api.Command.otptoken_del(u'lastotp',)
            except errors.NotFound:
                pass

            # Restore the previous ipauserauthtype
            try:
                api.Command.config_mod(ipauserauthtype=current_globalCfg)
            except errors.EmptyModlist:
                pass
Beispiel #19
0
 def test_whoami_kerberos_services(self, krb_host, krb_service):
     """
     Testing whoami as a kerberos service
     """
     krb_service.ensure_exists()
     with get_entity_keytab(krb_service.name, '-r') as keytab:
         with change_principal(krb_service.attrs['krbcanonicalname'][0],
                               keytab=keytab):
             result = api.Command.whoami()
             expected = {
                 u'object': u'service',
                 u'command': u'service_show/1',
                 u'arguments': (krb_service.name, )
             }
             assert_deepequal(expected, result)
    def test_sign_smime_csr_fallback_to_default_CA(
            self, smime_profile, smime_user, smime_signing_ca):
        """ Attempt to sign a CSR without CA specified.

        The request will satisfy SMIME_ACL via the profile ID,
        however not specifying the CA will fallback to the IPA CA
        for which SMIME profile isn't enabled, thus violating ACL.
        """
        csr = generate_user_csr(smime_user)
        smime_user_principal = '@'.join((smime_user, api.env.realm))

        with pytest.raises(errors.ACIError):
            with change_principal(smime_user, SMIME_USER_PW):
                api.Command.cert_request(csr, principal=smime_user_principal,
                                         profile_id=smime_profile.name)
Beispiel #21
0
 def test_whoami_hosts(self, krb_host):
     """
     Testing whoami as a host
     """
     krb_host.ensure_exists()
     with host_keytab(krb_host.name) as keytab_filename:
         with change_principal(krb_host.attrs['krbcanonicalname'][0],
                               keytab=keytab_filename):
             result = api.Command.whoami()
             expected = {
                 u'object': u'host',
                 u'command': u'host_show/1',
                 u'arguments': (krb_host.fqdn, )
             }
             assert_deepequal(expected, result)
    def test_authenticate_with_user_alias(self, krbalias_user):
        krbalias_user.ensure_exists()

        alias = u"{name}-alias".format(name=krbalias_user.name)

        krbalias_user.add_principal(alias)

        oldpw, newpw = u"Secret1234", u"Secret123"

        pwdmod = krbalias_user.make_update_command({'userpassword': oldpw})
        pwdmod()

        unlock_principal_password(krbalias_user.name, oldpw, newpw)

        with change_principal(alias, newpw, canonicalize=True):
            api.Command.ping()
Beispiel #23
0
    def test_authenticate_with_user_alias(self, krbalias_user):
        krbalias_user.ensure_exists()

        alias = u"{name}-alias".format(name=krbalias_user.name)

        krbalias_user.add_principal(alias)

        oldpw, newpw = u"Secret1234", u"Secret123"

        pwdmod = krbalias_user.make_update_command({'userpassword': oldpw})
        pwdmod()

        unlock_principal_password(krbalias_user.name, oldpw, newpw)

        with change_principal(alias, newpw, canonicalize=True):
            api.Command.ping()
    def test_sign_smime_csr_fallback_to_default_cert_profile(
            self, smime_profile, smime_user, smime_signing_ca):
        """ Attempt to sign a CSR without certificate profile specified.

        Similar to previous test case.
        By specifying only the CA to use, profile will fallback to
        the default caIPAserviceCert profile which is not enabled
        via ACL to be used with the CA, thus failing the request.
        """
        csr = generate_user_csr(smime_user)
        smime_user_principal = '@'.join((smime_user, api.env.realm))

        with pytest.raises(errors.ACIError):
            with change_principal(smime_user, SMIME_USER_PW):
                api.Command.cert_request(csr, principal=smime_user_principal,
                                         cacn=smime_signing_ca.name)
Beispiel #25
0
    def test_whoami_users(self, krb_user):
        """
        Testing whoami as user
        """
        krb_user.ensure_exists()

        pwdmod = krb_user.make_update_command({'userpassword': self.oldpw})
        pwdmod()

        unlock_principal_password(krb_user.name, self.oldpw, self.newpw)

        with change_principal(krb_user.name, self.newpw):
            result = api.Command.whoami()
            expected = {u'object': u'user',
                        u'command': u'user_show/1',
                        u'arguments': (krb_user.name,)}
            assert_deepequal(expected, result)
    def test_issuing_service_cert_by_related_host(self, santest_subca,
                                                  santest_host_1,
                                                  santest_host_2,
                                                  santest_service_host_1,
                                                  santest_csr):
        # The test case alters the previous state by making
        # the service managed by the second host.
        # Then it attempts to request the certificate again
        api.Command['service_add_host'](santest_service_host_1.name,
                                        host=[santest_host_2.fqdn])

        with host_keytab(santest_host_2.name) as keytab_filename:
            with change_principal(santest_host_2.attrs['krbcanonicalname'][0],
                                  keytab=keytab_filename):
                api.Command.cert_request(santest_csr,
                                         principal=santest_service_host_1.name,
                                         cacn=santest_subca.name)
Beispiel #27
0
    def test_whoami_users(self, krb_user):
        """
        Testing whoami as user
        """
        krb_user.ensure_exists()

        pwdmod = krb_user.make_update_command({'userpassword': self.oldpw})
        pwdmod()

        unlock_principal_password(krb_user.name, self.oldpw, self.newpw)

        with change_principal(krb_user.name, self.newpw):
            result = api.Command.whoami()
            expected = {
                u'object': u'user',
                u'command': u'user_show/1',
                u'arguments': (krb_user.name, )
            }
            assert_deepequal(expected, result)
    def test_issuing_service_cert_by_related_host(self,
                                                  santest_subca,
                                                  santest_host_1,
                                                  santest_host_2,
                                                  santest_service_host_1,
                                                  santest_csr):
        # The test case alters the previous state by making
        # the service managed by the second host.
        # Then it attempts to request the certificate again
        api.Command['service_add_host'](
            santest_service_host_1.name, host=[santest_host_2.fqdn]
        )

        with host_keytab(santest_host_2.name) as keytab_filename:
            with change_principal(santest_host_2.attrs['krbcanonicalname'][0],
                                  keytab=keytab_filename):
                api.Command.cert_request(
                    santest_csr,
                    principal=santest_service_host_1.name,
                    cacn=santest_subca.name
                )
 def test_sign_smime_csr(self, smime_profile, smime_user):
     csr = generate_user_csr(smime_user)
     with change_principal(smime_user, SMIME_USER_PW):
         with pytest.raises(errors.CertificateOperationError):
             api.Command.cert_request(csr, principal=smime_user,
                                      profile_id=smime_profile.name)
 def test_sign_smime_csr(self, smime_profile, smime_user):
     csr = generate_user_csr(smime_user)
     with change_principal(smime_user, SMIME_USER_PW):
         api.Command.cert_request(csr, principal=smime_user,
                                  profile_id=smime_profile.name)