def test_02_db_caconnector(self):
pass
# save a CA connector
ca_id = save_caconnector({
"caconnector": "myCA",
"type": "local",
"cakey": "/opt/ca/key.pem",
"cacert": "/opt/ca/cert.pem"
})
self.assertTrue(ca_id > 0, ca_id)
# Update the CA connector
save_caconnector({
"caconnector": "myCA",
"type": "local",
"WorkingDir": "/opt/ca",
"Password": "******",
"type.Password": "******"
})
# check if connector is in DB
calist = get_caconnector_list()
self.assertEqual(len(calist), 1)
calist = get_caconnector_list(filter_caconnector_type="local")
self.assertEqual(len(calist), 1)
# check the config values of "myCA"
self.assertEqual(calist[0].get("data").get("WorkingDir"), "/opt/ca")
self.assertEqual(calist[0].get("data").get("cakey"), "/opt/ca/key.pem")
# get the CA connector list without a config
calist = get_caconnector_list(return_config=False)
self.assertEqual(len(calist), 1)
# check that there are no values
self.assertEqual(calist[0].get("data"), {})
# test the CA connector:
config = get_caconnector_config("myCA")
self.assertEqual(config.get("WorkingDir"), "/opt/ca")
self.assertEqual(config.get("cakey"), "/opt/ca/key.pem")
# get_caconnector_object()
ca_obj = get_caconnector_object("myCA")
self.assertTrue(ca_obj.connector_type, "local")
catype = get_caconnector_type("myCA")
self.assertTrue(catype, "local")
# delete the CA connector
delete_caconnector("myCA")
# check if connector is deleted from DB
self.assertEqual(len(calist), 1)
def test_02a_fail_request_with_attestation(self):
cwd = os.getcwd()
# setup ca connector
r = save_caconnector({
"cakey": CAKEY,
"cacert": CACERT,
"type": "local",
"caconnector": "localCA",
"openssl.cnf": OPENSSLCNF,
"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR
})
db_token = Token(self.serial2, tokentype="certificate")
db_token.save()
token = CertificateTokenClass(db_token)
# A cert request will fail, since the attestation certificate does not match
self.assertRaises(privacyIDEAError, token.update, {
"ca": "localCA",
"attestation": BOGUS_ATTESTATION,
"request": REQUEST
})
remove_token(self.serial2)
def test_17_enroll_certificate(self):
cwd = os.getcwd()
# setup ca connector
r = save_caconnector({"cakey": CAKEY,
"cacert": CACERT,
"type": "local",
"caconnector": "localCA",
"openssl.cnf": OPENSSLCNF,
"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR})
with self.app.test_request_context('/token/init',
data={"type": "certificate",
"request": REQUEST,
"ca": "localCA"},
method="POST",
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data).get("result")
self.assertTrue(result.get("value"))
detail = json.loads(res.data).get("detail")
certificate = detail.get("certificate")
self.assertTrue("-----BEGIN CERTIFICATE-----" in certificate)
def test_04_create_token_on_server(self):
self.setUp_user_realms()
cwd = os.getcwd()
# setup ca connector
r = save_caconnector({"cakey": CAKEY,
"cacert": CACERT,
"type": "local",
"caconnector": "localCA",
"openssl.cnf": OPENSSLCNF,
"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR})
db_token = Token(self.serial3, tokentype="certificate")
db_token.save()
token = CertificateTokenClass(db_token)
# missing user
self.assertRaises(ParameterError,
token.update, {"ca": "localCA","genkey": 1})
token.update({"ca": "localCA", "genkey": 1,
"user": "******"})
self.assertEqual(token.token.serial, self.serial3)
self.assertEqual(token.token.tokentype, "certificate")
self.assertEqual(token.type, "certificate")
detail = token.get_init_detail()
certificate = detail.get("certificate")
# At each testrun, the certificate might get another serial number!
x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.assertEqual("{0!r}".format(x509obj.get_issuer()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(x509obj.get_subject()),
"<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>")
# Test, if the certificate is also completely stored in the tokeninfo
# and if we can retrieve it from the tokeninfo
token = get_tokens(serial=self.serial3)[0]
certificate = token.get_tokeninfo("certificate")
x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.assertEqual("{0!r}".format(x509obj.get_issuer()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(x509obj.get_subject()),
"<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>")
privatekey = token.get_tokeninfo("privatekey")
self.assertTrue(privatekey.startswith("-----BEGIN PRIVATE KEY-----"))
# check for pkcs12
self.assertTrue(detail.get("pkcs12"))
# revoke the token
r = token.revoke()
self.assertEqual(r, int_to_hex(x509obj.get_serial_number()))
def test_02_db_caconnector(self):
pass
# save a CA connector
ca_id = save_caconnector({"caconnector": "myCA",
"type": "local",
"cakey": "/opt/ca/key.pem",
"cacert": "/opt/ca/cert.pem"})
self.assertTrue(ca_id > 0, ca_id)
# Update the CA connector
save_caconnector({"caconnector": "myCA",
"type": "local",
"WorkingDir": "/opt/ca",
"Password": "******",
"type.Password": "******"})
# check if connector is in DB
calist = get_caconnector_list()
self.assertEqual(len(calist), 1)
calist = get_caconnector_list(filter_caconnector_type="local")
self.assertEqual(len(calist), 1)
# check the config values of "myCA"
self.assertEqual(calist[0].get("data").get("WorkingDir"), "/opt/ca")
self.assertEqual(calist[0].get("data").get("cakey"), "/opt/ca/key.pem")
# get the CA connector list without a config
calist = get_caconnector_list(return_config=False)
self.assertEqual(len(calist), 1)
# check that there are no values
self.assertEqual(calist[0].get("data"), {})
# test the CA connector:
config = get_caconnector_config("myCA")
self.assertEqual(config.get("WorkingDir"), "/opt/ca")
self.assertEqual(config.get("cakey"), "/opt/ca/key.pem")
# get_caconnector_object()
ca_obj = get_caconnector_object("myCA")
self.assertTrue(ca_obj.connector_type, "local")
catype = get_caconnector_type("myCA")
self.assertTrue(catype, "local")
# delete the CA connector
delete_caconnector("myCA")
# check if connector is deleted from DB
self.assertEqual(len(calist), 1)
def save_caconnector_api(name=None):
"""
returns a json list of the available applications
"""
param = request.all_data
param["caconnector"] = name
g.audit_object.log({"detail": u"{0!s}".format(name)})
res = save_caconnector(param)
g.audit_object.log({"success": True})
return send_result(res)
def save_caconnector_api(name=None):
"""
returns a json list of the available applications
"""
param = request.all_data
param["caconnector"] = name
g.audit_object.log({"detail": "{0!s}".format(name)})
res = save_caconnector(param)
g.audit_object.log({"success": True})
return send_result(res)
def save_caconnector_api(name=None):
"""
Create a new CA connector
"""
param = request.all_data
param["caconnector"] = name
g.audit_object.log({"detail": u"{0!s}".format(name)})
res = save_caconnector(param)
g.audit_object.log({"success": True})
return send_result(res)
def test_02_create_token_from_request(self):
cwd = os.getcwd()
# setup ca connector
r = save_caconnector({
"cakey": CAKEY,
"cacert": CACERT,
"type": "local",
"caconnector": "localCA",
"openssl.cnf": OPENSSLCNF,
"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR
})
db_token = Token(self.serial2, tokentype="certificate")
db_token.save()
token = CertificateTokenClass(db_token)
# just upload a ready certificate
token.update({"ca": "localCA", "request": REQUEST})
self.assertTrue(token.token.serial == self.serial2, token)
self.assertTrue(token.token.tokentype == "certificate",
token.token.tokentype)
self.assertTrue(token.type == "certificate", token)
class_prefix = token.get_class_prefix()
self.assertTrue(class_prefix == "CRT", class_prefix)
self.assertTrue(token.get_class_type() == "certificate", token)
detail = token.get_init_detail()
certificate = detail.get("certificate")
# At each testrun, the certificate might get another serial number!
x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.assertEqual(
"{0!r}".format(x509obj.get_issuer()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=CA001'>")
self.assertEqual(
"{0!r}".format(x509obj.get_subject()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=requester.localdomain'>")
# Test, if the certificate is also completely stored in the tokeninfo
# and if we can retrieve it from the tokeninfo
token = get_tokens(serial=self.serial2)[0]
certificate = token.get_tokeninfo("certificate")
x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.assertEqual(
"{0!r}".format(x509obj.get_issuer()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=CA001'>")
self.assertEqual(
"{0!r}".format(x509obj.get_subject()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=requester.localdomain'>")
remove_token(self.serial2)
def test_04_create_token_on_server(self):
self.setUp_user_realms()
cwd = os.getcwd()
# setup ca connector
r = save_caconnector({"cakey": CAKEY,
"cacert": CACERT,
"type": "local",
"caconnector": "localCA",
"openssl.cnf": OPENSSLCNF,
"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR})
db_token = Token(self.serial3, tokentype="certificate")
db_token.save()
token = CertificateTokenClass(db_token)
# missing user
self.assertRaises(ParameterError,
token.update, {"ca": "localCA","genkey": 1})
token.update({"ca": "localCA", "genkey": 1,
"user": "******"})
self.assertEqual(token.token.serial, self.serial3)
self.assertEqual(token.token.tokentype, "certificate")
self.assertEqual(token.type, "certificate")
detail = token.get_init_detail()
certificate = detail.get("certificate")
# At each testrun, the certificate might get another serial number!
x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.assertEqual("{0!r}".format(x509obj.get_issuer()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(x509obj.get_subject()),
"<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>")
# Test, if the certificate is also completely stored in the tokeninfo
# and if we can retrieve it from the tokeninfo
token = get_tokens(serial=self.serial3)[0]
certificate = token.get_tokeninfo("certificate")
x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.assertEqual("{0!r}".format(x509obj.get_issuer()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(x509obj.get_subject()),
"<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>")
privatekey = token.get_tokeninfo("privatekey")
self.assertTrue(privatekey.startswith("-----BEGIN PRIVATE KEY-----"))
# check for pkcs12
self.assertTrue(detail.get("pkcs12"))
def test_04_read_ca_connector(self):
with self.app.test_request_context('/caconnector/',
data={},
method='GET',
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data.decode('utf8')).get("result")
self.assertTrue(result["status"] is True, result)
value = result["value"]
self.assertEqual(len(value), 1)
# create a second CA connector
save_caconnector({"caconnector": "con2",
"type": "local"})
with self.app.test_request_context('/caconnector/',
data={},
method='GET',
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data.decode('utf8')).get("result")
self.assertTrue(result["status"] is True, result)
value = result["value"]
self.assertEqual(len(value), 2)
# Get only one destinct connector filtered by name
with self.app.test_request_context('/caconnector/con1',
data={},
method='GET',
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data.decode('utf8')).get("result")
self.assertTrue(result["status"] is True, result)
value = result["value"]
self.assertEqual(len(value), 1)
self.assertEqual(value[0].get("connectorname"), "con1")
def test_04_read_ca_connector(self):
with self.app.test_request_context('/caconnector/',
data={},
method='GET',
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data.decode('utf8')).get("result")
self.assertTrue(result["status"] is True, result)
value = result["value"]
self.assertEqual(len(value), 1)
# create a second CA connector
save_caconnector({"caconnector": "con2",
"type": "local"})
with self.app.test_request_context('/caconnector/',
data={},
method='GET',
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data.decode('utf8')).get("result")
self.assertTrue(result["status"] is True, result)
value = result["value"]
self.assertEqual(len(value), 2)
# Get only one destinct connector filtered by name
with self.app.test_request_context('/caconnector/con1',
data={},
method='GET',
headers={'Authorization': self.at}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 200, res)
result = json.loads(res.data.decode('utf8')).get("result")
self.assertTrue(result["status"] is True, result)
value = result["value"]
self.assertEqual(len(value), 1)
self.assertEqual(value[0].get("connectorname"), "con1")
def test_02_create_token_from_request(self):
cwd = os.getcwd()
# setup ca connector
r = save_caconnector({"cakey": CAKEY,
"cacert": CACERT,
"type": "local",
"caconnector": "localCA",
"openssl.cnf": OPENSSLCNF,
"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR})
db_token = Token(self.serial2, tokentype="certificate")
db_token.save()
token = CertificateTokenClass(db_token)
# just upload a ready certificate
token.update({"ca": "localCA",
"request": REQUEST})
self.assertTrue(token.token.serial == self.serial2, token)
self.assertTrue(token.token.tokentype == "certificate",
token.token.tokentype)
self.assertTrue(token.type == "certificate", token)
class_prefix = token.get_class_prefix()
self.assertTrue(class_prefix == "CRT", class_prefix)
self.assertTrue(token.get_class_type() == "certificate", token)
detail = token.get_init_detail()
certificate = detail.get("certificate")
# At each testrun, the certificate might get another serial number!
x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.assertEqual("{0!r}".format(x509obj.get_issuer()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(x509obj.get_subject()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=requester.localdomain'>")
# Test, if the certificate is also completely stored in the tokeninfo
# and if we can retrieve it from the tokeninfo
token = get_tokens(serial=self.serial2)[0]
certificate = token.get_tokeninfo("certificate")
x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.assertEqual("{0!r}".format(x509obj.get_issuer()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(x509obj.get_subject()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=requester.localdomain'>")
def test_02b_success_request_with_attestation(self):
cwd = os.getcwd()
# setup ca connector
r = save_caconnector({
"cakey": CAKEY,
"cacert": CACERT,
"type": "local",
"caconnector": "localCA",
"openssl.cnf": OPENSSLCNF,
"CSRDir": "",
"CertificateDir": "",
"WorkingDir": cwd + "/" + WORKINGDIR
})
db_token = Token(self.serial2, tokentype="certificate")
db_token.save()
token = CertificateTokenClass(db_token)
# The cert request will success with a valid attestation certificate
token.update({
"ca": "localCA",
"attestation": YUBIKEY_ATTEST,
"request": YUBIKEY_CSR,
ACTION.TRUSTED_CA_PATH: ["tests/testdata/attestation/"]
})
class_prefix = token.get_class_prefix()
self.assertTrue(class_prefix == "CRT", class_prefix)
self.assertTrue(token.get_class_type() == "certificate", token)
detail = token.get_init_detail()
certificate = detail.get("certificate")
# At each testrun, the certificate might get another serial number!
x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
self.assertEqual(
"{0!r}".format(x509obj.get_issuer()),
"<X509Name object '/C=DE/ST=Hessen"
"/O=privacyidea/CN=CA001'>")
self.assertEqual("{0!r}".format(x509obj.get_subject()),
"<X509Name object '/CN=cn=cornelius'>")
remove_token(self.serial2)