def test_nss_validation_ok_no_ca(self, mock_run, mock_cainstance): """Test with the CA marked as not configured so there should only be a DS certificate to check. """ def run(args, raiseonerr=True): result = _RunResult('', '', 0) result.raw_output = b'certutil: certificate is valid\n' result.raw_error_output = b'' return result mock_run.side_effect = run mock_cainstance.return_value = CAInstance(False) framework = object() registry.initialize(framework) f = IPANSSChainValidation(registry) f.config = config.Config() self.results = capture_results(f) assert len(self.results) == 1 for result in self.results.results: assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPANSSChainValidation' assert 'slapd-' in result.kw.get('key')
class TestOpenSSLValidation(BaseTest): patches = { 'ipaserver.install.cainstance.CAInstance': Mock(return_value=CAInstance()), } @patch('ipapython.ipautil.run') def test_openssl_validation_ok(self, mock_run): def run(args, raiseonerr=True): result = _RunResult('', '', 0) result.raw_output = bytes('%s: OK'.format( args[-1]).encode('utf-8')) result.raw_error_output = b'' return result mock_run.side_effect = run framework = object() registry.initialize(framework) f = IPAOpenSSLChainValidation(registry) f.config = config.Config() self.results = capture_results(f) assert len(self.results) == 2 for result in self.results.results: assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPAOpenSSLChainValidation' @patch('ipapython.ipautil.run') def test_openssl_validation_bad(self, mock_run): def run(args, raiseonerr=True): result = _RunResult('', '', 2) result.raw_output = bytes( 'O = EXAMPLE.TEST, CN = ipa.example.test\n' 'error 20 at 0 depth lookup: unable to get local issuer ' 'certificate\nerror %s: verification failed'.format( args[-1]).encode('utf-8')) result.raw_error_output = b'' result.error_log = '' return result mock_run.side_effect = run framework = object() registry.initialize(framework) f = IPAOpenSSLChainValidation(registry) f.config = config.Config() self.results = capture_results(f) assert len(self.results) == 2 for result in self.results.results: assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPAOpenSSLChainValidation' assert 'failed' in result.kw.get('msg')
def test_nss_validation_bad(self, mock_run, mock_cainstance): def run(args, raiseonerr=True): result = _RunResult('', '', 255) result.raw_output = str.encode( 'certutil: certificate is invalid: Peer\'s certificate issuer ' 'has been marked as not trusted by the user.') result.raw_error_output = b'' result.error_log = '' return result mock_run.side_effect = run mock_cainstance.return_value = CAInstance() framework = object() registry.initialize(framework) f = IPANSSChainValidation(registry) f.config = config.Config() self.results = capture_results(f) assert len(self.results) == 2 for result in self.results.results: assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPANSSChainValidation'
def test_crlmanager_no_ca(self, mock_ca): """There should be no CRLManagerCheck without a CA""" mock_ca.return_value = CAInstance(False) framework = object() registry.initialize(framework, config.Config) f = IPACRLManagerCheck(registry) self.results = capture_results(f) assert len(self.results) == 0
def test_trust_caless(self, mock_cainstance): """Nothing to check if the master is CALess""" mock_cainstance.return_value = CAInstance(False) framework = object() registry.initialize(framework, config.Config) f = IPACertNSSTrust(registry) self.results = capture_results(f) assert len(self.results) == 0
class TestCertmonger(BaseTest): patches = { 'ipaserver.install.cainstance.CAInstance': Mock(return_value=CAInstance()), } @patch('ipahealthcheck.ipa.certs.IPACertmongerCA.find_ca') def test_certmogner_ok(self, mock_find_ca): mock_find_ca.side_effect = [ 'IPA', 'dogtag-ipa-ca-renew-agent', 'dogtag-ipa-ca-renew-agent-reuse' ] framework = object() registry.initialize(framework) f = IPACertmongerCA(registry) self.results = capture_results(f) assert len(self.results) == 3 for result in self.results.results: assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertmongerCA' @patch('ipahealthcheck.ipa.certs.IPACertmongerCA.find_ca') def test_certmogner_missing(self, mock_find_ca): mock_find_ca.side_effect = [ 'IPA', 'dogtag-ipa-ca-renew-agent', ] framework = object() registry.initialize(framework) f = IPACertmongerCA(registry) self.results = capture_results(f) assert len(self.results) == 3 for r in range(0, 1): result = self.results.results[r] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertmongerCA' assert self.results.results[2].result == constants.ERROR assert self.results.results[2].kw.get('key') == \ 'dogtag-ipa-ca-renew-agent-reuse' assert self.results.results[2].kw.get('msg') == \ "Certmonger CA 'dogtag-ipa-ca-renew-agent-reuse' missing"
def test_cacert_caless(self, mock_cainstance): """Nothing to check if the master is CALess""" mock_cainstance.return_value = CAInstance(False) framework = object() registry.initialize(framework) f = DogtagCertsConfigCheck(registry) f.config = config.Config() self.results = capture_results(f) assert len(self.results) == 0
def test_crlmanager(self, mock_ca): mock_ca.return_value = CAInstance() framework = object() registry.initialize(framework, config.Config) f = IPACRLManagerCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.roles' assert result.check == 'IPACRLManagerCheck' assert result.kw.get('crlgen_enabled') is True
def test_nss_validation_ok(self, mock_run, mock_cainstance): def run(args, raiseonerr=True): result = _RunResult('', '', 0) result.raw_output = b'certutil: certificate is valid\n' result.raw_error_output = b'' return result mock_run.side_effect = run mock_cainstance.return_value = CAInstance() framework = object() registry.initialize(framework, config.Config) f = IPANSSChainValidation(registry) self.results = capture_results(f) assert len(self.results) == 2 for result in self.results.results: assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPANSSChainValidation'
class TestNSSAgent(BaseTest): cert = IPACertificate() patches = { 'ldap.initialize': Mock(return_value=mock_ldap_conn()), 'ipaserver.install.cainstance.CAInstance': Mock(return_value=CAInstance()), 'ipalib.x509.load_certificate_from_file': Mock(return_value=cert), } def test_nss_agent_ok(self): attrs = dict( description=['2;1;CN=ISSUER;CN=RA AGENT'], usercertificate=[self.cert], ) fake_conn = LDAPClient('ldap://localhost', no_schema=True) ldapentry = LDAPEntry(fake_conn, DN('uid=ipara,ou=people,o=ipaca')) for attr, values in attrs.items(): ldapentry[attr] = values framework = object() registry.initialize(framework, config.Config()) f = IPARAAgent(registry) f.conn = mock_ldap([ldapentry]) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPARAAgent' def test_nss_agent_no_description(self): attrs = dict( usercertificate=[self.cert], ) fake_conn = LDAPClient('ldap://localhost', no_schema=True) ldapentry = LDAPEntry(fake_conn, DN('uid=ipara,ou=people,o=ipaca')) for attr, values in attrs.items(): ldapentry[attr] = values framework = object() registry.initialize(framework, config.Config()) f = IPARAAgent(registry) f.conn = mock_ldap([ldapentry]) self.results = capture_results(f) result = self.results.results[0] assert result.result == constants.ERROR assert 'description' in result.kw.get('msg') @patch('ipalib.x509.load_certificate_from_file') def test_nss_agent_load_failure(self, mock_load_cert): mock_load_cert.side_effect = IOError('test') framework = object() registry.initialize(framework, config.Config()) f = IPARAAgent(registry) self.results = capture_results(f) result = self.results.results[0] assert result.result == constants.ERROR assert result.kw.get('error') == 'test' def test_nss_agent_no_entry_found(self): framework = object() registry.initialize(framework, config.Config()) f = IPARAAgent(registry) f.conn = mock_ldap(None) # None == NotFound self.results = capture_results(f) result = self.results.results[0] assert result.result == constants.ERROR assert result.kw.get('msg') == 'RA agent not found in LDAP' def test_nss_agent_too_many(self): attrs = dict( description=['2;1;CN=ISSUER;CN=RA AGENT'], usercertificate=[self.cert], ) fake_conn = LDAPClient('ldap://localhost', no_schema=True) ldapentry = LDAPEntry(fake_conn, DN('uid=ipara,ou=people,o=ipaca')) for attr, values in attrs.items(): ldapentry[attr] = values ldapentry2 = LDAPEntry(fake_conn, DN('uid=ipara2,ou=people,o=ipaca')) for attr, values in attrs.items(): ldapentry[attr] = values framework = object() registry.initialize(framework, config.Config()) f = IPARAAgent(registry) f.conn = mock_ldap([ldapentry, ldapentry2]) self.results = capture_results(f) result = self.results.results[0] assert result.result == constants.ERROR assert result.kw.get('found') == 2 def test_nss_agent_nonmatching_cert(self): cert2 = IPACertificate(2) attrs = dict( description=['2;1;CN=ISSUER;CN=RA AGENT'], usercertificate=[cert2], ) fake_conn = LDAPClient('ldap://localhost', no_schema=True) ldapentry = LDAPEntry(fake_conn, DN('uid=ipara,ou=people,o=ipaca')) for attr, values in attrs.items(): ldapentry[attr] = values framework = object() registry.initialize(framework, config.Config()) f = IPARAAgent(registry) f.conn = mock_ldap([ldapentry]) self.results = capture_results(f) result = self.results.results[0] assert result.result == constants.ERROR assert result.kw.get('certfile') == paths.RA_AGENT_PEM assert result.kw.get('dn') == 'uid=ipara,ou=people,o=ipaca' def test_nss_agent_multiple_certs(self): cert2 = IPACertificate(2) attrs = dict( description=['2;1;CN=ISSUER;CN=RA AGENT'], usercertificate=[cert2, self.cert], ) fake_conn = LDAPClient('ldap://localhost', no_schema=True) ldapentry = LDAPEntry(fake_conn, DN('uid=ipara,ou=people,o=ipaca')) for attr, values in attrs.items(): ldapentry[attr] = values framework = object() registry.initialize(framework, config.Config) f = IPARAAgent(registry) f.conn = mock_ldap([ldapentry]) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPARAAgent'
class TestCAConnectivity(BaseTest): patches = { 'ipaserver.install.cainstance.CAInstance': Mock(return_value=CAInstance()), } @patch('ipaserver.install.ca.lookup_ca_subject') @patch('ipalib.x509.load_certificate_list_from_file') def test_ca_connection_ok(self, mock_load_cert, mock_ca_subject): """CA connectivity check when cert_show returns a valid value""" m_api.Command.cert_show.side_effect = None m_api.Command.config_show.side_effect = subject_base m_api.Command.cert_show.return_value = { u'result': {u'revoked': False} } mock_load_cert.return_value = [IPACertificate(12345)] mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), f'O={m_api.env.realm}') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck' @patch('ipaserver.install.ca.lookup_ca_subject') @patch('ipalib.x509.load_certificate_list_from_file') def test_ca_connection_cert_not_found(self, mock_load_cert, mock_ca_subject): """CA connectivity check for a cert that doesn't exist""" m_api.Command.cert_show.reset_mock() m_api.Command.config_show.side_effect = subject_base m_api.Command.cert_show.side_effect = CertificateOperationError( message='Certificate operation cannot be completed: ' 'EXCEPTION (Certificate serial number 0x0 not found)' ) mock_load_cert.return_value = [IPACertificate()] mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), f'O={m_api.env.realm}') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck' assert result.kw.get('key') == 'cert_show_1' assert result.kw.get('serial') == '1' assert result.kw.get('msg') == 'Serial number not found: {error}' @patch('ipaserver.install.ca.lookup_ca_subject') @patch('ipalib.x509.load_certificate_list_from_file') def test_ca_connection_cert_file_not_found(self, mock_load_cert, mock_ca_subject): """CA connectivity check for a cert that doesn't exist""" m_api.Command.cert_show.reset_mock() m_api.Command.config_show.side_effect = subject_base mock_load_cert.side_effect = FileNotFoundError() mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), f'O={m_api.env.realm}') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck' assert result.kw.get('key') == 'ipa_ca_crt_file_missing' assert result.kw.get('path') == paths.IPA_CA_CRT @patch('ipaserver.install.ca.lookup_ca_subject') @patch('ipalib.x509.load_certificate_list_from_file') def test_ca_connection_cert_not_in_file_list(self, mock_load_cert, mock_ca_subject): """CA connectivity check for a cert that isn't in IPA_CA_CRT""" m_api.Command.cert_show.reset_mock() m_api.Command.config_show.side_effect = bad_subject_base mock_load_cert.return_value = [IPACertificate()] mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), 'O=BAD') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck' bad = bad_subject_base[0]['result']['ipacertificatesubjectbase'][0] bad_subject = DN(f'CN=Certificate Authority,{bad}') assert DN(result.kw['subject']) == bad_subject assert result.kw['path'] == paths.IPA_CA_CRT assert result.kw['msg'] == ( 'The CA certificate with subject {subject} was not found in {path}' ) @patch('ipaserver.install.ca.lookup_ca_subject') @patch('ipalib.x509.load_certificate_list_from_file') def test_ca_connection_down(self, mock_load_cert, mock_ca_subject): """CA connectivity check with the CA down""" m_api.Command.cert_show.side_effect = CertificateOperationError( message='Certificate operation cannot be completed: ' 'Unable to communicate with CMS (503)' ) m_api.Command.config_show.side_effect = subject_base mock_load_cert.return_value = [IPACertificate()] mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), f'O={m_api.env.realm}') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck' assert result.kw.get('msg') == ( 'Request for certificate failed: {error}' ) @patch('ipaserver.install.ca.lookup_ca_subject') @patch('ipalib.x509.load_certificate_list_from_file') def test_ca_connection_multiple_ok(self, mock_load_cert, mock_ca_subject): """CA connectivity check when cert_show returns a valid value""" m_api.Command.cert_show.side_effect = None m_api.Command.config_show.side_effect = subject_base m_api.Command.cert_show.return_value = { u'result': {u'revoked': False} } mock_load_cert.return_value = [ IPACertificate(1, 'CN=something'), IPACertificate(12345), ] mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), f'O={m_api.env.realm}') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.dogtag.ca' @patch('ipaserver.install.ca.lookup_ca_subject') @patch('ipalib.x509.load_certificate_list_from_file') def test_ca_connection_multiple_ok_reverse(self, mock_load_cert, mock_ca_subject): """CA connectivity check when cert_show returns a valid value""" m_api.Command.cert_show.side_effect = None m_api.Command.config_show.side_effect = subject_base m_api.Command.cert_show.return_value = { u'result': {u'revoked': False} } mock_load_cert.return_value = [ IPACertificate(12345), IPACertificate(1, 'CN=something'), ] mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), f'O={m_api.env.realm}') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.dogtag.ca' @patch('ipaserver.install.ca.lookup_ca_subject') @patch('ipalib.x509.load_certificate_list_from_file') def test_ca_connection_not_found(self, mock_load_cert, mock_ca_subject): """CA connectivity check when cert_show returns a valid value""" m_api.Command.cert_show.side_effect = None m_api.Command.config_show.side_effect = subject_base m_api.Command.cert_show.return_value = { u'result': {u'revoked': False} } mock_load_cert.return_value = [ IPACertificate(1, 'CN=something'), ] mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), f'O={m_api.env.realm}') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.kw['msg'] == ( 'The CA certificate with subject {subject} was not found in {path}' )
class TestCAConnectivity(BaseTest): patches = { 'ipaserver.install.cainstance.CAInstance': Mock(return_value=CAInstance()), } def test_ca_connection_ok(self): """CA connectivity check when cert_show returns a valid value""" m_api.Command.cert_show.side_effect = None m_api.Command.cert_show.return_value = {u'result': {u'revoked': False}} framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck' def test_ca_connection_cert_not_found(self): """CA connectivity check for a cert that doesn't exist""" m_api.Command.cert_show.reset_mock() m_api.Command.cert_show.side_effect = CertificateOperationError( message='Certificate operation cannot be completed: ' 'EXCEPTION (Certificate serial number 0x0 not found)') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck' def test_ca_connection_down(self): """CA connectivity check with the CA down""" m_api.Command.cert_show.side_effect = CertificateOperationError( message='Certificate operation cannot be completed: ' 'Unable to communicate with CMS (503)') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck' assert 'Unable to communicate' in result.kw.get('msg')
class TestCACerts(BaseTest): patches = { 'ipaserver.install.cainstance.CAInstance': Mock(return_value=CAInstance()), 'ipaserver.install.krainstance.KRAInstance': Mock(return_value=KRAInstance()), } @patch('ipahealthcheck.dogtag.ca.get_directive') @patch('ipaserver.install.certs.CertDB') def test_ca_certs_ok(self, mock_certdb, mock_directive): """Test what should be the standard case""" trust = { 'ocspSigningCert cert-pki-ca': 'u,u,u', 'subsystemCert cert-pki-ca': 'u,u,u', 'auditSigningCert cert-pki-ca': 'u,u,Pu', 'Server-Cert cert-pki-ca': 'u,u,u', 'caSigningCert cert-pki-ca': 'CT,C,C', 'transportCert cert-pki-kra': 'u,u,u', } mock_certdb.return_value = mock_CertDB(trust) mock_directive.side_effect = [name for name, nsstrust in trust.items()] framework = object() registry.initialize(framework) f = DogtagCertsConfigCheck(registry) f.config = config.Config() self.results = capture_results(f) assert len(self.results) == 6 for result in self.results.results: assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConfigCheck' @patch('ipahealthcheck.dogtag.ca.get_directive') @patch('ipaserver.install.certs.CertDB') def test_cert_missing_from_file(self, mock_certdb, mock_directive): """Test a missing certificate. Note that if it is missing from the database then this check will not catch the error but it will be caught elsewhere. """ trust = { 'ocspSigningCert cert-pki-ca': 'u,u,u', 'subsystemCert cert-pki-ca': 'u,u,u', 'auditSigningCert cert-pki-ca': 'u,u,Pu', 'Server-Cert cert-pki-ca': 'u,u,u', 'caSigningCert cert-pki-ca': 'CT,,', 'transportCert cert-pki-kra': 'u,u,u', } # The 3rd cert won't match the results nicknames = [name for name, nsstrust in trust.items()] location = nicknames.index('auditSigningCert cert-pki-ca') nicknames[location] = 'NOT auditSigningCert cert-pki-ca' mock_certdb.return_value = mock_CertDB(trust) mock_directive.side_effect = nicknames framework = object() registry.initialize(framework) f = DogtagCertsConfigCheck(registry) f.config = config.Config() self.results = capture_results(f) num = len(self.results.results) for r in range(0, num): if r == 2: # skip the one that should be bad continue result = self.results.results[r] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConfigCheck' result = self.results.results[2] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConfigCheck' assert result.kw.get('key') == 'auditSigningCert cert-pki-ca' assert len(self.results) == 6 @patch('ipaserver.install.cainstance.CAInstance') def test_cacert_caless(self, mock_cainstance): """Nothing to check if the master is CALess""" mock_cainstance.return_value = CAInstance(False) framework = object() registry.initialize(framework) f = DogtagCertsConfigCheck(registry) f.config = config.Config() self.results = capture_results(f) assert len(self.results) == 0
class TestNSSDBTrust(BaseTest): patches = { 'ipaserver.install.cainstance.CAInstance': Mock(return_value=CAInstance()), 'ipaserver.install.krainstance.KRAInstance': Mock(return_value=KRAInstance(False)), 'ipapython.certdb.unparse_trust_flags': Mock(side_effect=my_unparse_trust_flags), } @patch('ipaserver.install.certs.CertDB') def test_trust_default_ok(self, mock_certdb): """Test what should be the standard case""" trust = { 'ocspSigningCert cert-pki-ca': 'u,u,u', 'subsystemCert cert-pki-ca': 'u,u,u', 'auditSigningCert cert-pki-ca': 'u,u,Pu', 'Server-Cert cert-pki-ca': 'u,u,u' } mock_certdb.return_value = mock_CertDB(trust) framework = object() registry.initialize(framework, config.Config) f = IPACertNSSTrust(registry) self.results = capture_results(f) assert len(self.results) == 4 for result in self.results.results: assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertNSSTrust' assert 'cert-pki-ca' in result.kw.get('key') @patch('ipaserver.install.certs.CertDB') def test_trust_ocsp_missing(self, mock_certdb): """Test a missing certificate""" trust = { 'subsystemCert cert-pki-ca': 'u,u,u', 'auditSigningCert cert-pki-ca': 'u,u,Pu', 'Server-Cert cert-pki-ca': 'u,u,u' } mock_certdb.return_value = mock_CertDB(trust) framework = object() registry.initialize(framework, config.Config) f = IPACertNSSTrust(registry) self.results = capture_results(f) # The check reports success for those that it found and are correct and # reports missing certs last. num = len(self.results.results) - 2 for r in range(0, num): result = self.results.results[r] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertNSSTrust' assert 'cert-pki-ca' in result.kw.get('key') result = self.results.results[-1] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertNSSTrust' assert result.kw.get('key') == 'ocspSigningCert cert-pki-ca' assert result.kw.get('msg') == 'Certificate ocspSigningCert ' \ 'cert-pki-ca missing while verifying '\ 'trust' assert len(self.results) == 4 @patch('ipaserver.install.certs.CertDB') def test_trust_bad(self, mock_certdb): """Test multiple unexpected trust flags""" trust = { 'ocspSigningCert cert-pki-ca': 'u,u,u', 'subsystemCert cert-pki-ca': 'X,u,u', 'auditSigningCert cert-pki-ca': 'u,u,Pu', 'Server-Cert cert-pki-ca': 'X,u,u' } mock_certdb.return_value = mock_CertDB(trust) framework = object() registry.initialize(framework, config.Config) f = IPACertNSSTrust(registry) self.results = capture_results(f) result = self.results.results[1] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertNSSTrust' assert result.kw.get('key') == 'subsystemCert cert-pki-ca' assert result.kw.get('msg') == 'Incorrect NSS trust for ' \ 'subsystemCert cert-pki-ca. Got ' \ 'X,u,u expected u,u,u' result = self.results.results[3] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertNSSTrust' assert result.kw.get('key') == 'Server-Cert cert-pki-ca' assert result.kw.get('msg') == 'Incorrect NSS trust for ' \ 'Server-Cert cert-pki-ca. Got X,u,u ' \ 'expected u,u,u' assert len(self.results) == 4 @patch('ipaserver.install.cainstance.CAInstance') def test_trust_caless(self, mock_cainstance): """Nothing to check if the master is CALess""" mock_cainstance.return_value = CAInstance(False) framework = object() registry.initialize(framework, config.Config) f = IPACertNSSTrust(registry) self.results = capture_results(f) assert len(self.results) == 0
class TestRevocation(BaseTest): patches = { 'ipaserver.install.certs.is_ipa_issued_cert': Mock(return_value=True), 'ipalib.x509.load_certificate_from_file': Mock(return_value=IPACertificate()), 'ipahealthcheck.ipa.certs.get_expected_requests': Mock(return_value=get_expected_requests()), 'ipalib.install.certmonger._cm_dbus_object': Mock(side_effect=create_mock_dbus), 'ipalib.install.certmonger._certmonger': Mock(return_value=_certmonger()), 'ipaserver.install.cainstance.CAInstance': Mock(return_value=CAInstance()), } def test_revocation_ok(self): m_api.Command.cert_show.side_effect = [ { u'result': { u"revoked": False, } }, { u'result': { u"revoked": False, } }, ] set_requests() framework = object() registry.initialize(framework) f = IPACertRevocation(registry) f.config = config.Config() self.results = capture_results(f) assert len(self.results) == 2 for result in self.results.results: assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertRevocation' def test_revocation_one_bad(self): m_api.Command.cert_show.side_effect = [ { u'result': { u"revoked": False, } }, { u'result': { u"revoked": True, u"revocation_reason": 4, } }, ] set_requests() framework = object() registry.initialize(framework) f = IPACertRevocation(registry) f.config = config.Config() self.results = capture_results(f) assert len(self.results) == 2 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertRevocation' result = self.results.results[1] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertRevocation' assert result.kw.get('revocation_reason') == 'superseded'