def test_external_ca(self):
# Step 1 of ipa-server-install.
install_server_external_ca_step1(self.master)
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
install_server_external_ca_step2(self.master, ipa_ca_fname,
root_ca_fname)
self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
'--external-ca'])
result = self.master.run_command(['grep', '-v', 'CERTIFICATE',
ipa_ca_fname])
contents = result.stdout_text
BAD_CERT = 'bad_ca.crt'
invalid_cert = os.path.join(self.master.config.test_dir, BAD_CERT)
self.master.put_file_contents(invalid_cert, contents)
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA)
# renew CA with invalid cert
cmd = [paths.IPA_CACERT_MANAGE, 'renew', '--external-cert-file',
invalid_cert, '--external-cert-file', root_ca_fname]
result = self.master.run_command(cmd, raiseonerr=False)
assert result.returncode == 1
def test_external_ca(self):
# Step 1 of ipa-server-install.
install_server_external_ca_step1(self.master)
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
install_server_external_ca_step2(self.master, ipa_ca_fname,
root_ca_fname)
self.master.run_command(
[paths.IPA_CACERT_MANAGE, 'renew', '--external-ca'])
result = self.master.run_command(
['grep', '-v', 'CERTIFICATE', ipa_ca_fname])
contents = result.stdout_text
BAD_CERT = 'bad_ca.crt'
invalid_cert = os.path.join(self.master.config.test_dir, BAD_CERT)
self.master.put_file_contents(invalid_cert, contents)
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA)
# renew CA with invalid cert
cmd = [
paths.IPA_CACERT_MANAGE, 'renew', '--external-cert-file',
invalid_cert, '--external-cert-file', root_ca_fname
]
result = self.master.run_command(cmd, raiseonerr=False)
assert result.returncode == 1
def test_switch_to_external_ca(self):
result = self.master.run_command(
[paths.IPA_CACERT_MANAGE, 'renew', '--external-ca'])
assert result.returncode == 0
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA)
# renew CA with externally signed one
result = self.master.run_command([
paths.IPA_CACERT_MANAGE, 'renew',
'--external-cert-file={}'.format(ipa_ca_fname),
'--external-cert-file={}'.format(root_ca_fname)
])
assert result.returncode == 0
# update IPA certificate databases
result = self.master.run_command([paths.IPA_CERTUPDATE])
assert result.returncode == 0
# Check if external CA have "C" flag after the switch
result = check_CA_flag(self.master)
assert bool(result), ('External CA does not have "C" flag')
# Check that ldap entries for the CA have been updated
remote_cacrt = self.master.get_file_contents(ipa_ca_fname)
cacrt = ipa_x509.load_pem_x509_certificate(remote_cacrt)
verify_caentry(self.master, cacrt)
def test_switch_to_external_ca(self):
result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
'--external-ca'])
assert result.returncode == 0
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA)
# renew CA with externally signed one
result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
'--external-cert-file={}'.
format(ipa_ca_fname),
'--external-cert-file={}'.
format(root_ca_fname)])
assert result.returncode == 0
# update IPA certificate databases
result = self.master.run_command([paths.IPA_CERTUPDATE])
assert result.returncode == 0
# Check if external CA have "C" flag after the switch
result = check_CA_flag(self.master)
assert bool(result), ('External CA does not have "C" flag')
def test_external_ca(self):
# Step 1 of ipa-server-install.
result = install_server_external_ca_step1(self.master)
assert result.returncode == 0
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(self.master, ipa_ca_fname,
root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
# check that we can also install replica
tasks.install_replica(self.master, self.replicas[0])
# check that nsds5ReplicaReleaseTimeout option was set
result = self.master.run_command([
'ldapsearch', '-x', '-D', 'cn=directory manager', '-w',
self.master.config.dirman_password, '-b',
'cn=mapping tree,cn=config', '(cn=replica)', '-LLL', '-o',
'ldif-wrap=no'
])
# case insensitive match
text = result.stdout_text.lower()
# see ipaserver.install.replication.REPLICA_FINAL_SETTINGS
assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text
assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_invalid_intermediate(self):
install_server_external_ca_step1(self.master)
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA,
root_ca_path_length=0
)
result = install_server_external_ca_step2(
self.master, ipa_ca_fname, root_ca_fname, raiseonerr=False
)
assert result.returncode > 0
assert "basic contraint pathlen" in result.stderr_text
def test_invalid_intermediate(self):
install_server_external_ca_step1(self.master)
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master,
paths.ROOT_IPA_CSR,
ROOT_CA,
IPA_CA,
root_ca_path_length=0)
result = install_server_external_ca_step2(self.master,
ipa_ca_fname,
root_ca_fname,
raiseonerr=False)
assert result.returncode > 0
assert "basic contraint pathlen" in result.stderr_text
def test_external_ca_with_too_small_key(self):
# reuse the existing deployment and renewal CSR
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA, key_size=1024)
cmd = [
paths.IPA_CACERT_MANAGE,
'renew',
'--external-cert-file',
ipa_ca_fname,
'--external-cert-file',
root_ca_fname,
]
result = self.master.run_command(cmd, raiseonerr=False)
assert result.returncode == 1
def install(cls, mh):
super(TestACMEwithExternalCA, cls).install(mh)
# install master with external-ca
result = install_server_external_ca_step1(cls.master)
assert result.returncode == 0
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
cls.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
install_server_external_ca_step2(cls.master, ipa_ca_fname,
root_ca_fname)
tasks.kinit_admin(cls.master)
tasks.install_client(cls.master, cls.clients[0])
tasks.install_replica(cls.master, cls.replicas[0])
def install(cls, mh):
cls.prepare_acme_client()
# install master with external-ca
result = install_server_external_ca_step1(cls.master)
assert result.returncode == 0
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
cls.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
install_server_external_ca_step2(cls.master, ipa_ca_fname,
root_ca_fname)
tasks.kinit_admin(cls.master)
tasks.install_client(cls.master, cls.clients[0])
tasks.config_host_resolvconf_with_master_data(cls.master,
cls.clients[0])
def test_external_ca_dirsrv_stop(self):
# Step 1 of ipa-server-install
result = install_server_external_ca_step1(self.master)
assert result.returncode == 0
# stop dirsrv server.
service_control_dirsrv(self.master, 'stop')
# Sign CA, transport it to the host and get ipa and root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(self.master, ipa_ca_fname,
root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
def test_external_ca_constrained(self):
install_server_external_ca_step1(self.master)
# name constraints for IPA DNS domain (dot prefix)
nameconstraint = x509.NameConstraints(permitted_subtrees=[
x509.DNSName("." + self.master.domain.name),
],
excluded_subtrees=None)
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master,
paths.ROOT_IPA_CSR,
ROOT_CA,
IPA_CA,
root_ca_extensions=[nameconstraint],
)
install_server_external_ca_step2(self.master, ipa_ca_fname,
root_ca_fname)
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'ping'])
def test_external_ca_dirsrv_stop(self):
# Step 1 of ipa-server-install
result = install_server_external_ca_step1(self.master)
assert result.returncode == 0
# stop dirsrv server.
service_control_dirsrv(self.master, 'stop')
# Sign CA, transport it to the host and get ipa and root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(
self.master, ipa_ca_fname, root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
def test_external_ca(self):
# Step 1 of ipa-server-install.
result = install_server_external_ca_step1(
self.master, extra_args=['--external-ca-type=ms-cs']
)
assert result.returncode == 0
# check CSR for extension
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
check_mscs_extension(ipa_csr, MSCSTemplateV1(u'SubCA'))
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(
self.master, ipa_ca_fname, root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
# check that we can also install replica
tasks.install_replica(self.master, self.replicas[0])
# check that nsds5ReplicaReleaseTimeout option was set
result = tasks.ldapsearch_dm(
self.master,
'cn=mapping tree,cn=config',
['(cn=replica)'],
)
# case insensitive match
text = result.stdout_text.lower()
# see ipaserver.install.replication.REPLICA_FINAL_SETTINGS
assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text
assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_external_ca(self):
# Step 1 of ipa-server-install.
result = install_server_external_ca_step1(
self.master, extra_args=['--external-ca-type=ms-cs'])
assert result.returncode == 0
# check CSR for extension
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
check_mscs_extension(ipa_csr, ipa_x509.MSCSTemplateV1(u'SubCA'))
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(self.master, ipa_ca_fname,
root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
# check that we can also install replica
tasks.install_replica(self.master, self.replicas[0])
# check that nsds5ReplicaReleaseTimeout option was set
result = tasks.ldapsearch_dm(
self.master,
'cn=mapping tree,cn=config',
['(cn=replica)'],
)
# case insensitive match
text = result.stdout_text.lower()
# see ipaserver.install.replication.REPLICA_FINAL_SETTINGS
assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text
assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
