def setup(self):
self.reqdir = tempfile.mkdtemp(prefix="tmp-")
self.reqfile = self.reqdir + "/test.csr"
self.pwname = self.reqdir + "/pwd"
self.certfile = self.reqdir + "/cert.crt"
# Create an empty password file
with open(self.pwname, "w") as fp:
fp.write("\n")
# Create our temporary NSS database
self.run_certutil(["-N", "-f", self.pwname])
self.subject = DN(('CN', self.host_fqdn), x509.subject_base())
def setup(self):
self.reqdir = tempfile.mkdtemp(prefix = "tmp-")
self.reqfile = self.reqdir + "/test.csr"
self.pwname = self.reqdir + "/pwd"
# Create an empty password file
fp = open(self.pwname, "w")
fp.write("\n")
fp.close()
# Create our temporary NSS database
self.run_certutil(["-N", "-f", self.pwname])
self.subject = DN(('CN', self.host_fqdn), x509.subject_base())
def test_update_simple(self, host):
host.update(dict(description=u'Updated host 1',
usercertificate=get_testcert()),
expected_updates=dict(
description=[u'Updated host 1'],
usercertificate=[base64.b64decode(get_testcert())],
issuer=fuzzy_issuer,
md5_fingerprint=fuzzy_hash,
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
sha1_fingerprint=fuzzy_hash,
subject=DN(('CN', api.env.host), x509.subject_base()),
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
))
host.retrieve()
def test_update_simple(self, host):
host.update(dict(
description=u'Updated host 1',
usercertificate=get_testcert()),
expected_updates=dict(
description=[u'Updated host 1'],
usercertificate=[base64.b64decode(get_testcert())],
issuer=fuzzy_issuer,
md5_fingerprint=fuzzy_hash,
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
sha1_fingerprint=fuzzy_hash,
subject=DN(('CN', api.env.host), x509.subject_base()),
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
))
host.retrieve()
def setUp(self):
if 'cert_request' not in api.Command:
raise nose.SkipTest('cert_request not registered')
if not ipautil.file_exists(api.env.dot_ipa + os.sep + 'alias' + os.sep + '.pwd'):
raise nose.SkipTest('developer self-signed CA not configured')
super(test_cert, self).setUp()
self.reqdir = tempfile.mkdtemp(prefix = "tmp-")
self.reqfile = self.reqdir + "/test.csr"
self.pwname = self.reqdir + "/pwd"
# Create an empty password file
fp = open(self.pwname, "w")
fp.write("\n")
fp.close()
# Create our temporary NSS database
self.run_certutil(["-N", "-f", self.pwname])
self.subject = DN(('CN', self.host_fqdn), x509.subject_base())
def renew_external_step_2(self, ca, old_cert):
print("Importing the renewed CA certificate, please wait")
options = self.options
conn = api.Backend.ldap2
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
nss_cert = None
nss.nss_init(paths.PKI_TOMCAT_ALIAS_DIR)
try:
nss_cert = x509.load_certificate(old_cert, x509.DER)
subject = nss_cert.subject
der_subject = x509.get_der_subject(old_cert, x509.DER)
#pylint: disable=E1101
pkinfo = nss_cert.subject_public_key_info.format()
#pylint: enable=E1101
nss_cert = x509.load_certificate_from_file(cert_file.name)
cert = nss_cert.der_data
if nss_cert.subject != subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if x509.get_der_subject(cert, x509.DER) != der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: disable=E1101
if nss_cert.subject_public_key_info.format() != pkinfo:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: enable=E1101
finally:
del nss_cert
nss.nss_shutdown()
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(cert, 'IPA CA', 'C,,')
except ipautil.CalledProcessError as e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,')
del ca_certs
del ca_cert
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError as e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1]
for nickname in trust_chain:
try:
ca_cert = tmpdb.get_cert(nickname)
except RuntimeError:
break
certstore.put_ca_cert_nss(
conn, api.env.basedn, ca_cert, nickname, ',,')
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [cert]
conn.update_entry(entry)
except errors.NotFound:
entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[self.cert_nickname],
usercertificate=[cert])
conn.add_entry(entry)
except errors.EmptyModlist:
pass
try:
ca.set_renewal_master()
except errors.NotFound:
raise admintool.ScriptError("CA renewal master not found")
self.resubmit_request(ca, 'ipaRetrieval')
print("CA certificate successfully renewed")
def renew_external_step_2(self, ca, old_cert):
print("Importing the renewed CA certificate, please wait")
options = self.options
conn = api.Backend.ldap2
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
nss_cert = None
nss.nss_init(paths.PKI_TOMCAT_ALIAS_DIR)
try:
nss_cert = x509.load_certificate(old_cert, x509.DER)
subject = nss_cert.subject
der_subject = x509.get_der_subject(old_cert, x509.DER)
#pylint: disable=E1101
pkinfo = nss_cert.subject_public_key_info.format()
#pylint: enable=E1101
nss_cert = x509.load_certificate_from_file(cert_file.name)
cert = nss_cert.der_data
if nss_cert.subject != subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if x509.get_der_subject(cert, x509.DER) != der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: disable=E1101
if nss_cert.subject_public_key_info.format() != pkinfo:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: enable=E1101
finally:
del nss_cert
nss.nss_shutdown()
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(cert, 'IPA CA', 'C,,')
except ipautil.CalledProcessError as e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,')
del ca_certs
del ca_cert
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError as e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1]
for nickname in trust_chain:
try:
ca_cert = tmpdb.get_cert(nickname)
except RuntimeError:
break
certstore.put_ca_cert_nss(conn, api.env.basedn, ca_cert,
nickname, ',,')
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [cert]
conn.update_entry(entry)
except errors.NotFound:
entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[self.cert_nickname],
usercertificate=[cert])
conn.add_entry(entry)
except errors.EmptyModlist:
pass
try:
ca.set_renewal_master()
except errors.NotFound:
raise admintool.ScriptError("CA renewal master not found")
self.resubmit_request(ca, 'ipaRetrieval')
print("CA certificate successfully renewed")
ipv6_fromip_ptr_dn = DN(('idnsname', ipv6_fromip_ptr), revipv6zone_dn)
sshpubkey = u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6XHBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGIwA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNmcSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM019Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF0L public key test'
sshpubkeyfp = u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE public key test (ssh-rsa)'
user1 = u'tuser1'
user2 = u'tuser2'
group1 = u'group1'
group1_dn = get_group_dn(group1)
group2 = u'group2'
group2_dn = get_group_dn(group2)
hostgroup1 = u'testhostgroup1'
hostgroup1_dn = DN(('cn', hostgroup1), ('cn', 'hostgroups'),
('cn', 'accounts'), api.env.basedn)
host_cert = get_testcert(DN(('CN', api.env.host), x509.subject_base()),
'host/%s@%s' % (api.env.host, api.env.realm))
@pytest.fixture(scope='class')
def host(request):
tracker = HostTracker(name=u'testhost1')
return tracker.make_fixture(request)
@pytest.fixture(scope='class')
def host2(request):
tracker = HostTracker(name=u'testhost2')
return tracker.make_fixture(request)
def renew_external_step_2(self, ca, old_cert_der):
print("Importing the renewed CA certificate, please wait")
options = self.options
conn = api.Backend.ldap2
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
old_cert_obj = x509.load_certificate(old_cert_der, x509.DER)
old_der_subject = x509.get_der_subject(old_cert_der, x509.DER)
old_spki = old_cert_obj.public_key().public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo
)
with open(cert_file.name) as f:
new_cert_data = f.read()
new_cert_der = x509.normalize_certificate(new_cert_data)
new_cert_obj = x509.load_certificate(new_cert_der, x509.DER)
new_der_subject = x509.get_der_subject(new_cert_der, x509.DER)
new_spki = new_cert_obj.public_key().public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo
)
if new_cert_obj.subject != old_cert_obj.subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if new_der_subject != old_der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if new_spki != old_spki:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert_der, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(new_cert_der, 'IPA CA', 'C,,')
except ipautil.CalledProcessError as e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
data = ca_cert.public_bytes(serialization.Encoding.DER)
tmpdb.add_cert(data, str(DN(ca_cert.subject)), 'C,,')
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError as e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1]
for nickname in trust_chain:
try:
ca_cert = tmpdb.get_cert(nickname)
except RuntimeError:
break
certstore.put_ca_cert_nss(
conn, api.env.basedn, ca_cert, nickname, ',,')
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [new_cert_der]
conn.update_entry(entry)
except errors.NotFound:
entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[self.cert_nickname],
usercertificate=[new_cert_der])
conn.add_entry(entry)
except errors.EmptyModlist:
pass
try:
ca.set_renewal_master()
except errors.NotFound:
raise admintool.ScriptError("CA renewal master not found")
self.resubmit_request(ca, 'ipaRetrieval')
print("CA certificate successfully renewed")
def renew_external_step_2(self, ca, old_cert_der):
print("Importing the renewed CA certificate, please wait")
options = self.options
conn = api.Backend.ldap2
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
old_cert_obj = x509.load_certificate(old_cert_der, x509.DER)
old_der_subject = x509.get_der_subject(old_cert_der, x509.DER)
old_spki = old_cert_obj.public_key().public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo)
with open(cert_file.name) as f:
new_cert_data = f.read()
new_cert_der = x509.normalize_certificate(new_cert_data)
new_cert_obj = x509.load_certificate(new_cert_der, x509.DER)
new_der_subject = x509.get_der_subject(new_cert_der, x509.DER)
new_spki = new_cert_obj.public_key().public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo)
if new_cert_obj.subject != old_cert_obj.subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if new_der_subject != old_der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if new_spki != old_spki:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert_der, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(new_cert_der, 'IPA CA', 'C,,')
except ipautil.CalledProcessError as e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
data = ca_cert.public_bytes(serialization.Encoding.DER)
tmpdb.add_cert(data, str(DN(ca_cert.subject)), 'C,,')
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError as e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1]
for nickname in trust_chain:
try:
ca_cert = tmpdb.get_cert(nickname)
except RuntimeError:
break
certstore.put_ca_cert_nss(conn, api.env.basedn, ca_cert,
nickname, ',,')
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [new_cert_der]
conn.update_entry(entry)
except errors.NotFound:
entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[self.cert_nickname],
usercertificate=[new_cert_der])
conn.add_entry(entry)
except errors.EmptyModlist:
pass
try:
ca.set_renewal_master()
except errors.NotFound:
raise admintool.ScriptError("CA renewal master not found")
self.resubmit_request(ca, 'ipaRetrieval')
print("CA certificate successfully renewed")
def renew_external_step_2(self, ca, old_cert):
print "Importing the renewed CA certificate, please wait"
options = self.options
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
nss_cert = None
nss.nss_init(ca.dogtag_constants.ALIAS_DIR)
try:
nss_cert = x509.load_certificate(old_cert, x509.DER)
subject = nss_cert.subject
der_subject = x509.get_der_subject(old_cert, x509.DER)
#pylint: disable=E1101
pkinfo = nss_cert.subject_public_key_info.format()
#pylint: enable=E1101
nss_cert = x509.load_certificate_from_file(cert_file.name)
cert = nss_cert.der_data
if nss_cert.subject != subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if x509.get_der_subject(cert, x509.DER) != der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: disable=E1101
if nss_cert.subject_public_key_info.format() != pkinfo:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: enable=E1101
finally:
del nss_cert
nss.nss_shutdown()
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(cert, 'IPA CA', 'C,,')
except ipautil.CalledProcessError, e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,')
del ca_certs
del ca_cert
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError, e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
class test_host(Declarative):
cleanup_commands = [
('host_del', [fqdn1], {}),
('host_del', [fqdn2], {}),
('host_del', [fqdn3], {}),
('host_del', [fqdn4], {}),
('service_del', [service1], {}),
]
tests = [
dict(
desc='Try to retrieve non-existent %r' % fqdn1,
command=('host_show', [fqdn1], {}),
expected=errors.NotFound(reason=u'%s: host not found' % fqdn1),
),
dict(
desc='Try to update non-existent %r' % fqdn1,
command=('host_mod', [fqdn1], dict(description=u'Nope')),
expected=errors.NotFound(reason=u'%s: host not found' % fqdn1),
),
dict(
desc='Try to delete non-existent %r' % fqdn1,
command=('host_del', [fqdn1], {}),
expected=errors.NotFound(reason=u'%s: host not found' % fqdn1),
),
dict(
desc='Create %r' % fqdn1,
command=(
'host_add',
[fqdn1],
dict(
description=u'Test host 1',
l=u'Undisclosed location 1',
force=True,
),
),
expected=dict(
value=fqdn1,
summary=u'Added host "%s"' % fqdn1,
result=dict(
dn=dn1,
fqdn=[fqdn1],
description=[u'Test host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Try to create duplicate %r' % fqdn1,
command=(
'host_add',
[fqdn1],
dict(
description=u'Test host 1',
l=u'Undisclosed location 1',
force=True,
),
),
expected=errors.DuplicateEntry(message=u'host with name ' +
u'"%s" already exists' % fqdn1),
),
dict(
desc='Retrieve %r' % fqdn1,
command=('host_show', [fqdn1], {}),
expected=dict(
value=fqdn1,
summary=None,
result=dict(
dn=dn1,
fqdn=[fqdn1],
description=[u'Test host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
has_keytab=False,
has_password=False,
managedby_host=[fqdn1],
),
),
),
dict(
desc='Retrieve %r with all=True' % fqdn1,
command=('host_show', [fqdn1], dict(all=True)),
expected=dict(
value=fqdn1,
summary=None,
result=dict(
dn=dn1,
cn=[fqdn1],
fqdn=[fqdn1],
description=[u'Test host 1'],
# FIXME: Why is 'localalityname' returned as 'l' with --all?
# It is intuitive for --all to return additional attributes,
# but not to return existing attributes under different
# names.
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
serverhostname=[u'testhost1'],
objectclass=objectclasses.host,
managedby_host=[fqdn1],
managing_host=[fqdn1],
ipauniqueid=[fuzzy_uuid],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Search for %r' % fqdn1,
command=('host_find', [fqdn1], {}),
expected=dict(
count=1,
truncated=False,
summary=u'1 host matched',
result=[
dict(
dn=dn1,
fqdn=[fqdn1],
description=[u'Test host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[
u'host/%s@%s' % (fqdn1, api.env.realm)
],
managedby_host=[u'%s' % fqdn1],
has_keytab=False,
has_password=False,
),
],
),
),
dict(
desc='Search for %r with all=True' % fqdn1,
command=('host_find', [fqdn1], dict(all=True)),
expected=dict(
count=1,
truncated=False,
summary=u'1 host matched',
result=[
dict(
dn=dn1,
cn=[fqdn1],
fqdn=[fqdn1],
description=[u'Test host 1'],
# FIXME: Why is 'localalityname' returned as 'l' with --all?
# It is intuitive for --all to return additional attributes,
# but not to return existing attributes under different
# names.
l=[u'Undisclosed location 1'],
krbprincipalname=[
u'host/%s@%s' % (fqdn1, api.env.realm)
],
serverhostname=[u'testhost1'],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn1],
managing_host=[u'%s' % fqdn1],
has_keytab=False,
has_password=False,
),
],
),
),
dict(
desc='Update %r' % fqdn1,
command=('host_mod', [fqdn1],
dict(description=u'Updated host 1',
usercertificate=servercert)),
expected=dict(
value=fqdn1,
summary=u'Modified host "%s"' % fqdn1,
result=dict(
description=[u'Updated host 1'],
fqdn=[fqdn1],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Retrieve %r to verify update' % fqdn1,
command=('host_show', [fqdn1], {}),
expected=dict(
value=fqdn1,
summary=None,
result=dict(
dn=dn1,
fqdn=[fqdn1],
description=[u'Updated host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
has_keytab=False,
has_password=False,
managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
),
),
),
dict(
desc='Create %r' % fqdn3,
command=(
'host_add',
[fqdn3],
dict(
description=u'Test host 2',
l=u'Undisclosed location 2',
force=True,
),
),
expected=dict(
value=fqdn3,
summary=u'Added host "%s"' % fqdn3,
result=dict(
dn=dn3,
fqdn=[fqdn3],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn3],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % fqdn4,
command=(
'host_add',
[fqdn4],
dict(
description=u'Test host 4',
l=u'Undisclosed location 4',
force=True,
),
),
expected=dict(
value=fqdn4,
summary=u'Added host "%s"' % fqdn4,
result=dict(
dn=dn4,
fqdn=[fqdn4],
description=[u'Test host 4'],
l=[u'Undisclosed location 4'],
krbprincipalname=[u'host/%s@%s' % (fqdn4, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn4],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Add managedby_host %r to %r' % (fqdn1, fqdn3),
command=(
'host_add_managedby',
[fqdn3],
dict(host=u'%s' % fqdn1, ),
),
expected=dict(
completed=1,
failed=dict(managedby=dict(host=tuple(), ), ),
result=dict(
dn=dn3,
fqdn=[fqdn3],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)],
managedby_host=[u'%s' % fqdn3,
u'%s' % fqdn1],
),
),
),
dict(
desc='Retrieve %r' % fqdn3,
command=('host_show', [fqdn3], {}),
expected=dict(
value=fqdn3,
summary=None,
result=dict(
dn=dn3,
fqdn=[fqdn3],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)],
has_keytab=False,
has_password=False,
managedby_host=[u'%s' % fqdn3,
u'%s' % fqdn1],
),
),
),
dict(
desc='Search for hosts with --man-hosts and --not-man-hosts',
command=('host_find', [], {
'man_host': fqdn3,
'not_man_host': fqdn1
}),
expected=dict(
count=1,
truncated=False,
summary=u'1 host matched',
result=[
dict(
dn=dn3,
fqdn=[fqdn3],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[
u'host/%s@%s' % (fqdn3, api.env.realm)
],
has_keytab=False,
has_password=False,
managedby_host=[u'%s' % fqdn3,
u'%s' % fqdn1],
),
],
),
),
dict(
desc='Try to search for hosts with --man-hosts',
command=('host_find', [], {
'man_host': [fqdn3, fqdn4]
}),
expected=dict(
count=0,
truncated=False,
summary=u'0 hosts matched',
result=[],
),
),
dict(
desc='Remove managedby_host %r from %r' % (fqdn1, fqdn3),
command=(
'host_remove_managedby',
[fqdn3],
dict(host=u'%s' % fqdn1, ),
),
expected=dict(
completed=1,
failed=dict(managedby=dict(host=tuple(), ), ),
result=dict(
dn=dn3,
fqdn=[fqdn3],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)],
managedby_host=[u'%s' % fqdn3],
),
),
),
dict(
desc='Show a host with multiple matches %s' % short3,
command=('host_show', [short3], {}),
expected=errors.SingleMatchExpected(found=2),
),
dict(desc='Try to rename %r' % fqdn1,
command=('host_mod', [fqdn1],
dict(setattr=u'fqdn=changed.example.com')),
expected=errors.NotAllowedOnRDN()),
dict(
desc='Add MAC address to %r' % fqdn1,
command=('host_mod', [fqdn1],
dict(macaddress=u'00:50:56:30:F6:5F')),
expected=dict(
value=fqdn1,
summary=u'Modified host "%s"' % fqdn1,
result=dict(
description=[u'Updated host 1'],
fqdn=[fqdn1],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
macaddress=[u'00:50:56:30:F6:5F'],
issuer=fuzzy_issuer,
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Add another MAC address to %r' % fqdn1,
command=('host_mod', [
fqdn1
], dict(macaddress=[u'00:50:56:30:F6:5F', u'00:50:56:2C:8D:82'])),
expected=dict(
value=fqdn1,
summary=u'Modified host "%s"' % fqdn1,
result=dict(
description=[u'Updated host 1'],
fqdn=[fqdn1],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
macaddress=[u'00:50:56:30:F6:5F', u'00:50:56:2C:8D:82'],
issuer=fuzzy_issuer,
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Add an illegal MAC address to %r' % fqdn1,
command=('host_mod', [fqdn1], dict(macaddress=[u'xx'])),
expected=errors.ValidationError(
name='macaddress',
error=u'Must be of the form HH:HH:HH:HH:HH:HH, where ' +
u'each H is a hexadecimal character.'),
),
dict(
desc='Add SSH public key to %r' % fqdn1,
command=('host_mod', [fqdn1], dict(ipasshpubkey=[sshpubkey])),
expected=dict(
value=fqdn1,
summary=u'Modified host "%s"' % fqdn1,
result=dict(
description=[u'Updated host 1'],
fqdn=[fqdn1],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
macaddress=[u'00:50:56:30:F6:5F', u'00:50:56:2C:8D:82'],
ipasshpubkey=[sshpubkey],
sshpubkeyfp=[sshpubkeyfp],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Add an illegal SSH public key to %r' % fqdn1,
command=('host_mod', [fqdn1],
dict(ipasshpubkey=[u'no-pty %s' % sshpubkey])),
expected=errors.ValidationError(name='sshpubkey',
error=u'options are not allowed'),
),
dict(
desc='Delete %r' % fqdn1,
command=('host_del', [fqdn1], {}),
expected=dict(
value=fqdn1,
summary=u'Deleted host "%s"' % fqdn1,
result=dict(failed=u''),
),
),
dict(
desc='Try to retrieve non-existent %r' % fqdn1,
command=('host_show', [fqdn1], {}),
expected=errors.NotFound(reason=u'%s: host not found' % fqdn1),
),
dict(
desc='Try to update non-existent %r' % fqdn1,
command=('host_mod', [fqdn1], dict(description=u'Nope')),
expected=errors.NotFound(reason=u'%s: host not found' % fqdn1),
),
dict(
desc='Try to delete non-existent %r' % fqdn1,
command=('host_del', [fqdn1], {}),
expected=errors.NotFound(reason=u'%s: host not found' % fqdn1),
),
# Test deletion using a non-fully-qualified hostname. Services
# associated with this host should also be removed.
dict(
desc='Re-create %r' % fqdn1,
command=(
'host_add',
[fqdn1],
dict(
description=u'Test host 1',
l=u'Undisclosed location 1',
force=True,
),
),
expected=dict(
value=fqdn1,
summary=u'Added host "%s"' % fqdn1,
result=dict(
dn=dn1,
fqdn=[fqdn1],
description=[u'Test host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn1],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Add a service to host %r' % fqdn1,
command=('service_add', [service1], {
'force': True
}),
expected=dict(
value=service1,
summary=u'Added service "%s"' % service1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
objectclass=objectclasses.service,
managedby_host=[fqdn1],
ipauniqueid=[fuzzy_uuid],
),
),
),
dict(
desc='Delete using host name %r' % short1,
command=('host_del', [short1], {}),
expected=dict(
value=short1,
summary=u'Deleted host "%s"' % short1,
result=dict(failed=u''),
),
),
dict(
desc='Search for services for %r' % fqdn1,
command=('service_find', [fqdn1], {}),
expected=dict(
count=0,
truncated=False,
summary=u'0 services matched',
result=[],
),
),
dict(
desc='Try to add host not in DNS %r without force' % fqdn2,
command=('host_add', [fqdn2], {}),
expected=errors.DNSNotARecordError(
reason=u'Host does not have corresponding DNS A record'),
),
dict(
desc='Try to add host not in DNS %r with force' % fqdn2,
command=(
'host_add',
[fqdn2],
dict(
description=u'Test host 2',
l=u'Undisclosed location 2',
userclass=[u'webserver', u'mailserver'],
force=True,
),
),
expected=dict(
value=fqdn2,
summary=u'Added host "%s"' % fqdn2,
result=dict(
dn=dn2,
fqdn=[fqdn2],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn2, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn2],
userclass=[u'webserver', u'mailserver'],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Retrieve %r' % fqdn2,
command=('host_show', [fqdn2], {}),
expected=dict(
value=fqdn2,
summary=None,
result=dict(
dn=dn2,
fqdn=[fqdn2],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn2, api.env.realm)],
has_keytab=False,
has_password=False,
managedby_host=[fqdn2],
userclass=[u'webserver', u'mailserver'],
),
),
),
# This test will only succeed when running against lite-server.py
# on same box as IPA install.
dict(
desc='Delete the current host (master?) %s should be caught' %
api.env.host,
command=('host_del', [api.env.host], {}),
expected=errors.ValidationError(
name='hostname',
error=u'An IPA master host cannot be deleted or disabled'),
),
dict(
desc='Disable the current host (master?) %s should be caught' %
api.env.host,
command=('host_disable', [api.env.host], {}),
expected=errors.ValidationError(
name='hostname',
error=u'An IPA master host cannot be deleted or disabled'),
),
dict(
desc='Test that validation is enabled on adds',
command=('host_add', [invalidfqdn1], {}),
expected=errors.ValidationError(
name='hostname',
error=u'invalid domain-name: only letters, numbers, and - ' +
u'are allowed. DNS label may not start or end with -'),
),
# The assumption on these next 4 tests is that if we don't get a
# validation error then the request was processed normally.
dict(
desc='Test that validation is disabled on mods',
command=('host_mod', [invalidfqdn1], {}),
expected=errors.NotFound(reason=u'%s: host not found' %
invalidfqdn1),
),
dict(
desc='Test that validation is disabled on deletes',
command=('host_del', [invalidfqdn1], {}),
expected=errors.NotFound(reason=u'%s: host not found' %
invalidfqdn1),
),
dict(
desc='Test that validation is disabled on show',
command=('host_show', [invalidfqdn1], {}),
expected=errors.NotFound(reason=u'%s: host not found' %
invalidfqdn1),
),
dict(
desc='Test that validation is disabled on find',
command=('host_find', [invalidfqdn1], {}),
expected=dict(
count=0,
truncated=False,
summary=u'0 hosts matched',
result=[],
),
),
dict(
desc='Add managedby_host %r to %r' % (fqdn3, fqdn4),
command=(
'host_add_managedby',
[fqdn4],
dict(host=fqdn3, ),
),
expected=dict(
completed=1,
failed=dict(managedby=dict(host=tuple(), ), ),
result=dict(
dn=dn4,
fqdn=[fqdn4],
description=[u'Test host 4'],
l=[u'Undisclosed location 4'],
krbprincipalname=[u'host/%s@%s' % (fqdn4, api.env.realm)],
managedby_host=[fqdn4, fqdn3],
),
),
),
dict(
desc='Delete %r' % fqdn3,
command=('host_del', [fqdn3], {}),
expected=dict(
value=fqdn3,
summary=u'Deleted host "%s"' % fqdn3,
result=dict(failed=u''),
),
),
dict(
desc='Retrieve %r to verify that %r is gone from managedBy' %
(fqdn4, fqdn3),
command=('host_show', [fqdn4], {}),
expected=dict(
value=fqdn4,
summary=None,
result=dict(
dn=dn4,
fqdn=[fqdn4],
description=[u'Test host 4'],
l=[u'Undisclosed location 4'],
krbprincipalname=[u'host/%s@%s' % (fqdn4, api.env.realm)],
has_keytab=False,
has_password=False,
managedby_host=[fqdn4],
),
),
),
]
fqdn1 = u"testhost1.%s" % api.env.domain
fqdn2 = u"testhost2.%s" % api.env.domain
fqdn3 = u"TestHost3.%s" % api.env.domain
service1_no_realm = u"HTTP/%s" % fqdn1
service1 = u"%s@%s" % (service1_no_realm, api.env.realm)
hostprincipal1 = u"host/%s@%s" % (fqdn1, api.env.realm)
service1dn = DN(("krbprincipalname", service1), ("cn", "services"), ("cn", "accounts"), api.env.basedn)
host1dn = DN(("fqdn", fqdn1), ("cn", "computers"), ("cn", "accounts"), api.env.basedn)
host2dn = DN(("fqdn", fqdn2), ("cn", "computers"), ("cn", "accounts"), api.env.basedn)
host3dn = DN(("fqdn", fqdn3), ("cn", "computers"), ("cn", "accounts"), api.env.basedn)
role1 = u"Test Role"
role1_dn = DN(("cn", role1), api.env.container_rolegroup, api.env.basedn)
servercert = get_testcert(
DN(("CN", api.env.host), x509.subject_base()), "unittest/%s@%s" % (api.env.host, api.env.realm)
)
randomissuercert = (
"MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3Q"
"gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1"
"owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqh"
"kiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXD"
"uqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHY"
"d+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f"
"0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61"
"lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pe"
"kiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgU"
"gMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd"
"9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0Wy"
"DGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv"
)
def renew_external_step_2(self, ca, old_cert):
print "Importing the renewed CA certificate, please wait"
options = self.options
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
nss_cert = None
nss.nss_init(ca.dogtag_constants.ALIAS_DIR)
try:
nss_cert = x509.load_certificate(old_cert, x509.DER)
subject = nss_cert.subject
der_subject = x509.get_der_subject(old_cert, x509.DER)
#pylint: disable=E1101
pkinfo = nss_cert.subject_public_key_info.format()
#pylint: enable=E1101
nss_cert = x509.load_certificate_from_file(cert_file.name)
cert = nss_cert.der_data
if nss_cert.subject != subject:
raise admintool.ScriptError(
"Subject name mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
if x509.get_der_subject(cert, x509.DER) != der_subject:
raise admintool.ScriptError(
"Subject name encoding mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: disable=E1101
if nss_cert.subject_public_key_info.format() != pkinfo:
raise admintool.ScriptError(
"Subject public key info mismatch (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)")
#pylint: enable=E1101
finally:
del nss_cert
nss.nss_shutdown()
with certs.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.add_cert(old_cert, 'IPA CA', 'C,,')
try:
tmpdb.add_cert(cert, 'IPA CA', 'C,,')
except ipautil.CalledProcessError, e:
raise admintool.ScriptError(
"Not compatible with the current CA certificate: %s" % e)
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
for ca_cert in ca_certs:
tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,')
del ca_certs
del ca_cert
try:
tmpdb.verify_ca_cert_validity('IPA CA')
except ValueError, e:
raise admintool.ScriptError(
"Not a valid CA certificate: %s (visit "
"http://www.freeipa.org/page/Troubleshooting for "
"troubleshooting guide)" % e)
ipv6_fromip_ptr_dnsname = DNSName(ipv6_fromip_ptr)
ipv6_fromip_ptr_dn = DN(("idnsname", ipv6_fromip_ptr), revipv6zone_dn)
sshpubkey = u"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6XHBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGIwA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNmcSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM019Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF0L public key test"
sshpubkeyfp = u"13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B public key test (ssh-rsa)"
user1 = u"tuser1"
user2 = u"tuser2"
group1 = u"group1"
group1_dn = get_group_dn(group1)
group2 = u"group2"
group2_dn = get_group_dn(group2)
hostgroup1 = u"testhostgroup1"
hostgroup1_dn = DN(("cn", hostgroup1), ("cn", "hostgroups"), ("cn", "accounts"), api.env.basedn)
host_cert = get_testcert(DN(("CN", api.env.host), x509.subject_base()), "host/%s@%s" % (api.env.host, api.env.realm))
class HostTracker(Tracker):
"""Wraps and tracks modifications to a Host object
Implements the helper functions for host plugin.
The HostTracker object stores information about the host, e.g.
``fqdn`` and ``dn``.
"""
retrieve_keys = {
"dn",
"fqdn",
"description",
fqdn1 = u'testhost1.%s' % api.env.domain
fqdn2 = u'testhost2.%s' % api.env.domain
fqdn3 = u'TestHost3.%s' % api.env.domain
service1_no_realm = u'HTTP/%s' % fqdn1
service1 = u'%s@%s' % (service1_no_realm, api.env.realm)
hostprincipal1 = u'host/%s@%s' % (fqdn1, api.env.realm)
service1dn = DN(('krbprincipalname',service1),('cn','services'),('cn','accounts'),api.env.basedn)
host1dn = DN(('fqdn',fqdn1),('cn','computers'),('cn','accounts'),api.env.basedn)
host2dn = DN(('fqdn',fqdn2),('cn','computers'),('cn','accounts'),api.env.basedn)
host3dn = DN(('fqdn',fqdn3),('cn','computers'),('cn','accounts'),api.env.basedn)
role1 = u'Test Role'
role1_dn = DN(('cn', role1), api.env.container_rolegroup, api.env.basedn)
servercert= get_testcert(DN(('CN', api.env.host), x509.subject_base()),
'unittest/%s@%s' % (api.env.host, api.env.realm))
badservercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv'
user1 = u'tuser1'
user2 = u'tuser2'
group1 = u'group1'
group1_dn = get_group_dn(group1)
group2 = u'group2'
group2_dn = get_group_dn(group2)
hostgroup1 = u'testhostgroup1'
hostgroup1_dn = DN(('cn',hostgroup1),('cn','hostgroups'),('cn','accounts'),
api.env.basedn)
@pytest.mark.tier1
class test_service(Declarative):
cleanup_commands = [
('host_del', [fqdn1], {}),
('host_del', [fqdn2], {}),
('host_del', [fqdn3], {}),
('service_del', [service1], {}),
]
tests = [
dict(
desc='Try to retrieve non-existent %r' % service1,
command=('service_show', [service1], {}),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Try to update non-existent %r' % service1,
command=('service_mod', [service1],
dict(usercertificate=get_testcert())),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Try to delete non-existent %r' % service1,
command=('service_del', [service1], {}),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Create %r' % fqdn1,
command=(
'host_add',
[fqdn1],
dict(
description=u'Test host 1',
l=u'Undisclosed location 1',
force=True,
),
),
expected=dict(
value=fqdn1,
summary=u'Added host "%s"' % fqdn1,
result=dict(
dn=host1dn,
fqdn=[fqdn1],
description=[u'Test host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn1],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % fqdn2,
command=(
'host_add',
[fqdn2],
dict(
description=u'Test host 2',
l=u'Undisclosed location 2',
force=True,
),
),
expected=dict(
value=fqdn2,
summary=u'Added host "%s"' % fqdn2,
result=dict(
dn=host2dn,
fqdn=[fqdn2],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn2, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn2],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % fqdn3,
command=(
'host_add',
[fqdn3],
dict(
description=u'Test host 3',
l=u'Undisclosed location 3',
force=True,
),
),
expected=dict(
value=fqdn3.lower(),
summary=u'Added host "%s"' % fqdn3.lower(),
result=dict(
dn=host3dn,
fqdn=[fqdn3.lower()],
description=[u'Test host 3'],
l=[u'Undisclosed location 3'],
krbprincipalname=[
u'host/%s@%s' % (fqdn3.lower(), api.env.realm)
],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn3.lower()],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % service1,
command=(
'service_add',
[service1],
dict(force=True, ),
),
expected=dict(
value=service1,
summary=u'Added service "%s"' % service1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Try to create duplicate %r' % service1,
command=(
'service_add',
[service1],
dict(force=True, ),
),
expected=errors.DuplicateEntry(
message=u'service with name "%s" already exists' % service1),
),
dict(
desc='Retrieve %r' % service1,
command=('service_show', [service1], {}),
expected=dict(
value=service1,
summary=None,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
has_keytab=False,
managedby_host=[fqdn1],
),
),
),
dict(
desc='Retrieve %r with all=True' % service1,
command=('service_show', [service1], dict(all=True)),
expected=dict(
value=service1,
summary=None,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
ipakrbprincipalalias=[service1],
objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1],
has_keytab=False,
ipakrbrequirespreauth=True,
ipakrbokasdelegate=False,
),
),
),
dict(
desc='Search for %r' % service1,
command=('service_find', [service1], {}),
expected=dict(
count=1,
truncated=False,
summary=u'1 service matched',
result=[
dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1],
has_keytab=False,
),
],
),
),
dict(
desc='Search for %r with all=True' % service1,
command=('service_find', [service1], dict(all=True)),
expected=dict(
count=1,
truncated=False,
summary=u'1 service matched',
result=[
dict(
dn=service1dn,
krbprincipalname=[service1],
ipakrbprincipalalias=[service1],
objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid],
has_keytab=False,
managedby_host=[fqdn1],
ipakrbrequirespreauth=True,
ipakrbokasdelegate=False,
),
],
),
),
dict(
desc='Add non-existent host to %r' % service1,
command=('service_add_host', [service1], dict(host=u'notfound')),
expected=dict(
failed=dict(managedby=dict(host=[(u'notfound',
u'no such entry')])),
completed=0,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Remove non-existent host from %r' % service1,
command=('service_remove_host', [service1],
dict(host=u'notfound')),
expected=dict(
failed=dict(managedby=dict(
host=[(u'notfound', u'This entry is not a member')])),
completed=0,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Add host to %r' % service1,
command=('service_add_host', [service1], dict(host=fqdn2)),
expected=dict(
failed=dict(managedby=dict(host=[])),
completed=1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1, fqdn2],
),
),
),
dict(
desc='Remove host from %r' % service1,
command=('service_remove_host', [service1], dict(host=fqdn2)),
expected=dict(
failed=dict(managedby=dict(host=[])),
completed=1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Add mixed-case host to %r' % service1,
command=('service_add_host', [service1], dict(host=fqdn3)),
expected=dict(
failed=dict(managedby=dict(host=[])),
completed=1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1, fqdn3.lower()],
),
),
),
dict(
desc='Remove mixed-case host from %r' % service1,
command=('service_remove_host', [service1], dict(host=fqdn3)),
expected=dict(
failed=dict(managedby=dict(host=[])),
completed=1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Update %r with a bad certificate' % service1,
command=('service_mod', [service1],
dict(usercertificate=badservercert)),
expected=errors.CertificateOperationError(
error=u'Issuer "CN=IPA Test Certificate Authority" does not ' +
u'match the expected issuer'),
),
dict(
desc='Update %r' % service1,
command=('service_mod', [service1],
dict(usercertificate=get_testcert())),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(get_testcert())],
krbprincipalname=[service1],
managedby_host=[fqdn1],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
),
),
),
dict(desc='Try to update %r with invalid ipakrbauthz data '
'combination' % service1,
command=('service_mod', [service1],
dict(ipakrbauthzdata=[u'MS-PAC', u'NONE'])),
expected=errors.ValidationError(
name='ipakrbauthzdata',
error=u'NONE value cannot be combined with other PAC types')),
dict(
desc='Update %r with valid ipakrbauthz data '
'combination' % service1,
command=('service_mod', [service1],
dict(ipakrbauthzdata=[u'MS-PAC'])),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(get_testcert())],
krbprincipalname=[service1],
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
),
),
),
dict(
desc='Retrieve %r to verify update' % service1,
command=('service_show', [service1], {}),
expected=dict(
value=service1,
summary=None,
result=dict(
dn=service1dn,
usercertificate=[base64.b64decode(get_testcert())],
krbprincipalname=[service1],
has_keytab=False,
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
# These values come from the servercert that is in this
# test case.
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
),
),
),
dict(
desc='Enable %r OK_AS_DELEGATE Kerberos ticket flag' % service1,
command=('service_mod', [service1], dict(ipakrbokasdelegate=True)),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(get_testcert())],
krbprincipalname=[service1],
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
krbticketflags=[u'1048704'],
ipakrbokasdelegate=True,
),
),
),
dict(
desc='Update %r Kerberos ticket flags with setattr' % service1,
command=('service_mod', [service1],
dict(setattr=[u'krbTicketFlags=1048577'])),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(get_testcert())],
krbprincipalname=[service1],
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
krbticketflags=[u'1048577'],
),
),
),
dict(
desc='Disable %r OK_AS_DELEGATE Kerberos ticket flag' % service1,
command=('service_mod', [service1],
dict(ipakrbokasdelegate=False)),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
usercertificate=[base64.b64decode(get_testcert())],
krbprincipalname=[service1],
managedby_host=[fqdn1],
ipakrbauthzdata=[u'MS-PAC'],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=DN(('CN', api.env.host), x509.subject_base()),
serial_number=fuzzy_digits,
serial_number_hex=fuzzy_hex,
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
issuer=fuzzy_issuer,
krbticketflags=[u'1'],
ipakrbokasdelegate=False,
),
),
),
dict(
desc='Delete %r' % service1,
command=('service_del', [service1], {}),
expected=dict(
value=[service1],
summary=u'Deleted service "%s"' % service1,
result=dict(failed=[]),
),
),
dict(
desc='Try to retrieve non-existent %r' % service1,
command=('service_show', [service1], {}),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Try to update non-existent %r' % service1,
command=('service_mod', [service1],
dict(usercertificate=get_testcert())),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(
desc='Try to delete non-existent %r' % service1,
command=('service_del', [service1], {}),
expected=errors.NotFound(reason=u'%s: service not found' %
service1),
),
dict(desc='Create service with malformed principal "foo"',
command=('service_add', [u'foo'], {}),
expected=errors.MalformedServicePrincipal(
reason='missing service')),
dict(
desc='Create service with bad realm "HTTP/[email protected]"',
command=('service_add', [u'HTTP/[email protected]'], {}),
expected=errors.RealmMismatch(),
),
dict(desc='Create a host service %r' % hostprincipal1,
command=('service_add', [hostprincipal1], {}),
expected=errors.HostService()),
# These tests will only succeed when running against lite-server.py
# on same box as IPA install.
dict(
desc=
'Delete the current host (master?) %s HTTP service, should be caught'
% api.env.host,
command=('service_del', ['HTTP/%s' % api.env.host], {}),
expected=errors.ValidationError(
name='principal',
error='This principal is required by the IPA master'),
),
dict(
desc=
'Delete the current host (master?) %s ldap service, should be caught'
% api.env.host,
command=('service_del', ['ldap/%s' % api.env.host], {}),
expected=errors.ValidationError(
name='principal',
error='This principal is required by the IPA master'),
),
dict(
desc=
'Disable the current host (master?) %s HTTP service, should be caught'
% api.env.host,
command=('service_disable', ['HTTP/%s' % api.env.host], {}),
expected=errors.ValidationError(
name='principal',
error='This principal is required by the IPA master'),
),
dict(
desc=
'Disable the current host (master?) %s ldap service, should be caught'
% api.env.host,
command=('service_disable', ['ldap/%s' % api.env.host], {}),
expected=errors.ValidationError(
name='principal',
error='This principal is required by the IPA master'),
),
]
