def test_sign_smime_csr_full_principal(self, smime_profile, smime_user):
csr = generate_user_csr(smime_user)
smime_user_principal = '@'.join((smime_user, api.env.realm))
with change_principal(smime_user, SMIME_USER_PW):
api.Command.cert_request(csr,
principal=smime_user_principal,
profile_id=smime_profile.name)
def test_sign_smime_csr(self, smime_profile, smime_user):
csr = generate_user_csr(smime_user)
with change_principal(smime_user, SMIME_USER_PW):
with pytest.raises(errors.CertificateOperationError):
api.Command.cert_request(csr,
principal=smime_user,
profile_id=smime_profile.name)
def test_sign_smime_csr(self, smime_profile, smime_user, smime_signing_ca):
csr = generate_user_csr(smime_user)
with change_principal(smime_user, SMIME_USER_PW):
api.Command.cert_request(csr,
principal=smime_user,
profile_id=smime_profile.name,
cacn=smime_signing_ca.name)
def test_signing_with_disabled_acl(self, smime_acl, smime_profile,
smime_user):
csr = generate_user_csr(smime_user)
with change_principal(smime_user, SMIME_USER_PW):
with pytest.raises(errors.ACIError):
api.Command.cert_request(
csr, profile_id=smime_profile.name,
principal=smime_user)
def test_signing_with_disabled_acl(self, smime_acl, smime_profile,
smime_user):
csr = generate_user_csr(smime_user)
with change_principal(smime_user, SMIME_USER_PW):
with pytest.raises(errors.ACIError):
api.Command.cert_request(csr,
profile_id=smime_profile.name,
principal=smime_user)
def test_sign_smime_csr_full_principal(
self, smime_profile, smime_user, smime_signing_ca):
csr = generate_user_csr(smime_user)
smime_user_principal = '@'.join((smime_user, api.env.realm))
with change_principal(smime_user, SMIME_USER_PW):
api.Command.cert_request(csr, principal=smime_user_principal,
profile_id=smime_profile.name,
cacn=smime_signing_ca.name)
def test_request_cert_with_SAN_matching_principal_alias(
self, santest_subca, santest_host_1, santest_service_host_1,
santest_csr):
with host_keytab(santest_host_1.name) as keytab_filename:
with change_principal(santest_host_1.attrs['krbcanonicalname'][0],
keytab=keytab_filename):
api.Command.cert_request(santest_csr,
principal=santest_service_host_1.name,
cacn=santest_subca.name)
def test_managed_service(self, managing_host, managed_service):
""" Add a host and then add a service as a host
Finally, remove the service as a host """
managing_host.ensure_exists()
with host_keytab(managing_host.name) as keytab_filename:
with change_principal(managing_host.attrs['krbcanonicalname'][0],
keytab=keytab_filename):
managed_service.create()
managed_service.delete()
def test_verify_cert_issuer_dn_is_subca(
self, smime_profile, smime_user, smime_signing_ca):
csr = generate_user_csr(smime_user)
smime_user_principal = '@'.join((smime_user, api.env.realm))
with change_principal(smime_user, SMIME_USER_PW):
cert_info = api.Command.cert_request(
csr, principal=smime_user_principal,
profile_id=smime_profile.name, cacn=smime_signing_ca.name)
assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn
def __enter__(self):
self.returned = False
self.value = None
self.change_principal_cm = change_principal(self.user, self.password)
self.change_principal_cm.__enter__() # pylint: disable=no-member
if self.exception:
self.assert_raises_cm = pytest.raises(self.exception)
self.assert_raises_cm.__enter__()
return self
def test_request_cert_with_additional_host(
self, santest_subca, santest_host_1, santest_host_2,
santest_service_host_1, santest_csr):
with host_keytab(santest_host_1.name) as keytab_filename:
with change_principal(santest_host_1.attrs['krbcanonicalname'][0],
keytab=keytab_filename):
api.Command.cert_request(
santest_csr,
principal=santest_service_host_1.name,
cacn=santest_subca.name
)
def __enter__(self):
self.returned = False
self.value = None
self.change_principal_cm = change_principal(self.user, self.password)
self.change_principal_cm.__enter__() # pylint: disable=no-member
if self.exception:
self.assert_raises_cm = pytest.raises(self.exception)
self.assert_raises_cm.__enter__()
return self
def test_request_cert_with_not_allowed_SAN(self, santest_subca,
santest_host_1,
santest_service_host_1,
santest_csr):
with host_keytab(santest_host_1.name) as keytab_filename:
with change_principal(santest_host_1.attrs['krbcanonicalname'][0],
keytab=keytab_filename):
with pytest.raises(errors.NotFound):
api.Command.cert_request(
santest_csr,
principal=santest_service_host_1.name,
cacn=santest_subca.name)
def test_whoami_kerberos_services(self, krb_host, krb_service):
"""
Testing whoami as a kerberos service
"""
krb_service.ensure_exists()
with get_entity_keytab(krb_service.name, '-r') as keytab:
with change_principal(krb_service.attrs['krbcanonicalname'][0],
keytab=keytab):
result = api.Command.whoami()
expected = {u'object': u'service',
u'command': u'service_show/1',
u'arguments': (krb_service.name,)}
assert_deepequal(expected, result)
def test_request_cert_with_additional_host(self, santest_subca,
santest_host_1, santest_host_2,
santest_service_host_1,
santest_csr):
with host_keytab(santest_host_1.name) as keytab_filename:
with change_principal(santest_host_1.attrs['krbcanonicalname'][0],
keytab=keytab_filename):
with pytest.raises(errors.ACIError):
api.Command.cert_request(
santest_csr,
principal=santest_service_host_1.name,
cacn=santest_subca.name)
def test_request_cert_with_not_allowed_SAN(
self, santest_subca, santest_host_1, santest_host_2,
santest_service_host_1, santest_csr):
with host_keytab(santest_host_1.name) as keytab_filename:
with change_principal(santest_host_1.attrs['krbcanonicalname'][0],
keytab=keytab_filename):
with pytest.raises(errors.ACIError):
api.Command.cert_request(
santest_csr,
principal=santest_service_host_1.name,
cacn=santest_subca.name
)
def test_whoami_hosts(self, krb_host):
"""
Testing whoami as a host
"""
krb_host.ensure_exists()
with host_keytab(krb_host.name) as keytab_filename:
with change_principal(krb_host.attrs['krbcanonicalname'][0],
keytab=keytab_filename):
result = api.Command.whoami()
expected = {u'object': u'host',
u'command': u'host_show/1',
u'arguments': (krb_host.fqdn,)}
assert_deepequal(expected, result)
def test_delete(self, globalCfg, userCfg, allowDelLast, user):
"""
Test the deletion of the last otp token
The user auth type can be defined at a global level, or
per-user if the override is not disabled.
Depending on the resulting setting, the deletion of last token
is allowed or forbidden.
"""
# Save current global config
result = api.Command.config_show()
current_globalCfg = result.get('ipauserauthtype', None)
try:
# Set the global config for the test
api.Command.config_mod(ipauserauthtype=globalCfg)
except errors.EmptyModlist:
pass
try:
user.ensure_exists()
api.Command.user_mod(user.name, userpassword=user_password)
unlock_principal_password(user.name,
user_password, user_password)
# Set the user config for the test
api.Command.user_mod(user.name, ipauserauthtype=userCfg)
# Connect as user, create and delete the token
with change_principal(user.name, user_password):
api.Command.otptoken_add(u'lastotp', description=u'last otp',
ipatokenowner=user.name)
if allowDelLast:
# We are expecting the del command to succeed
api.Command.otptoken_del(u'lastotp')
else:
# We are expecting the del command to fail
with pytest.raises(errors.DatabaseError):
api.Command.otptoken_del(u'lastotp')
finally:
# Make sure the token is removed
try:
api.Command.otptoken_del(u'lastotp',)
except errors.NotFound:
pass
# Restore the previous ipauserauthtype
try:
api.Command.config_mod(ipauserauthtype=current_globalCfg)
except errors.EmptyModlist:
pass
def test_whoami_kerberos_services(self, krb_host, krb_service):
"""
Testing whoami as a kerberos service
"""
krb_service.ensure_exists()
with get_entity_keytab(krb_service.name, '-r') as keytab:
with change_principal(krb_service.attrs['krbcanonicalname'][0],
keytab=keytab):
result = api.Command.whoami()
expected = {
u'object': u'service',
u'command': u'service_show/1',
u'arguments': (krb_service.name, )
}
assert_deepequal(expected, result)
def test_sign_smime_csr_fallback_to_default_CA(
self, smime_profile, smime_user, smime_signing_ca):
""" Attempt to sign a CSR without CA specified.
The request will satisfy SMIME_ACL via the profile ID,
however not specifying the CA will fallback to the IPA CA
for which SMIME profile isn't enabled, thus violating ACL.
"""
csr = generate_user_csr(smime_user)
smime_user_principal = '@'.join((smime_user, api.env.realm))
with pytest.raises(errors.ACIError):
with change_principal(smime_user, SMIME_USER_PW):
api.Command.cert_request(csr, principal=smime_user_principal,
profile_id=smime_profile.name)
def test_whoami_hosts(self, krb_host):
"""
Testing whoami as a host
"""
krb_host.ensure_exists()
with host_keytab(krb_host.name) as keytab_filename:
with change_principal(krb_host.attrs['krbcanonicalname'][0],
keytab=keytab_filename):
result = api.Command.whoami()
expected = {
u'object': u'host',
u'command': u'host_show/1',
u'arguments': (krb_host.fqdn, )
}
assert_deepequal(expected, result)
def test_authenticate_with_user_alias(self, krbalias_user):
krbalias_user.ensure_exists()
alias = u"{name}-alias".format(name=krbalias_user.name)
krbalias_user.add_principal(alias)
oldpw, newpw = u"Secret1234", u"Secret123"
pwdmod = krbalias_user.make_update_command({'userpassword': oldpw})
pwdmod()
unlock_principal_password(krbalias_user.name, oldpw, newpw)
with change_principal(alias, newpw, canonicalize=True):
api.Command.ping()
def test_authenticate_with_user_alias(self, krbalias_user):
krbalias_user.ensure_exists()
alias = u"{name}-alias".format(name=krbalias_user.name)
krbalias_user.add_principal(alias)
oldpw, newpw = u"Secret1234", u"Secret123"
pwdmod = krbalias_user.make_update_command({'userpassword': oldpw})
pwdmod()
unlock_principal_password(krbalias_user.name, oldpw, newpw)
with change_principal(alias, newpw, canonicalize=True):
api.Command.ping()
def test_sign_smime_csr_fallback_to_default_cert_profile(
self, smime_profile, smime_user, smime_signing_ca):
""" Attempt to sign a CSR without certificate profile specified.
Similar to previous test case.
By specifying only the CA to use, profile will fallback to
the default caIPAserviceCert profile which is not enabled
via ACL to be used with the CA, thus failing the request.
"""
csr = generate_user_csr(smime_user)
smime_user_principal = '@'.join((smime_user, api.env.realm))
with pytest.raises(errors.ACIError):
with change_principal(smime_user, SMIME_USER_PW):
api.Command.cert_request(csr, principal=smime_user_principal,
cacn=smime_signing_ca.name)
def test_whoami_users(self, krb_user):
"""
Testing whoami as user
"""
krb_user.ensure_exists()
pwdmod = krb_user.make_update_command({'userpassword': self.oldpw})
pwdmod()
unlock_principal_password(krb_user.name, self.oldpw, self.newpw)
with change_principal(krb_user.name, self.newpw):
result = api.Command.whoami()
expected = {u'object': u'user',
u'command': u'user_show/1',
u'arguments': (krb_user.name,)}
assert_deepequal(expected, result)
def test_issuing_service_cert_by_related_host(self, santest_subca,
santest_host_1,
santest_host_2,
santest_service_host_1,
santest_csr):
# The test case alters the previous state by making
# the service managed by the second host.
# Then it attempts to request the certificate again
api.Command['service_add_host'](santest_service_host_1.name,
host=[santest_host_2.fqdn])
with host_keytab(santest_host_2.name) as keytab_filename:
with change_principal(santest_host_2.attrs['krbcanonicalname'][0],
keytab=keytab_filename):
api.Command.cert_request(santest_csr,
principal=santest_service_host_1.name,
cacn=santest_subca.name)
def test_whoami_users(self, krb_user):
"""
Testing whoami as user
"""
krb_user.ensure_exists()
pwdmod = krb_user.make_update_command({'userpassword': self.oldpw})
pwdmod()
unlock_principal_password(krb_user.name, self.oldpw, self.newpw)
with change_principal(krb_user.name, self.newpw):
result = api.Command.whoami()
expected = {
u'object': u'user',
u'command': u'user_show/1',
u'arguments': (krb_user.name, )
}
assert_deepequal(expected, result)
def test_issuing_service_cert_by_related_host(self,
santest_subca,
santest_host_1,
santest_host_2,
santest_service_host_1,
santest_csr):
# The test case alters the previous state by making
# the service managed by the second host.
# Then it attempts to request the certificate again
api.Command['service_add_host'](
santest_service_host_1.name, host=[santest_host_2.fqdn]
)
with host_keytab(santest_host_2.name) as keytab_filename:
with change_principal(santest_host_2.attrs['krbcanonicalname'][0],
keytab=keytab_filename):
api.Command.cert_request(
santest_csr,
principal=santest_service_host_1.name,
cacn=santest_subca.name
)
def test_sign_smime_csr(self, smime_profile, smime_user):
csr = generate_user_csr(smime_user)
with change_principal(smime_user, SMIME_USER_PW):
with pytest.raises(errors.CertificateOperationError):
api.Command.cert_request(csr, principal=smime_user,
profile_id=smime_profile.name)
def test_sign_smime_csr(self, smime_profile, smime_user):
csr = generate_user_csr(smime_user)
with change_principal(smime_user, SMIME_USER_PW):
api.Command.cert_request(csr, principal=smime_user,
profile_id=smime_profile.name)