def test_master_install_ca2(self):
root_ca_fname2 = tempfile.mkdtemp(suffix='root_ca.crt', dir=paths.TMP)
ipa_ca_fname2 = tempfile.mkdtemp(suffix='ipa_ca.crt', dir=paths.TMP)
self.master.run_command(
[paths.IPA_CACERT_MANAGE, 'renew', '--external-ca'])
ipa_csr = self.master.get_file_contents(paths.IPA_CA_CSR)
external_ca = ExternalCA()
root_ca = external_ca.create_ca(cn='RootCA2')
ipa_ca = external_ca.sign_csr(ipa_csr)
self.master.put_file_contents(root_ca_fname2, root_ca)
self.master.put_file_contents(ipa_ca_fname2, ipa_ca)
# Step 2 of ipa-server-install.
self.master.run_command([
paths.IPA_CACERT_MANAGE, 'renew', '--external-cert-file',
ipa_ca_fname2, '--external-cert-file', root_ca_fname2
])
cert_nick = "caSigningCert cert-pki-ca"
result = self.master.run_command([
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n', cert_nick
])
assert "CN=RootCA2" in result.stdout_text
def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name):
"""
Sign ipa csr and save signed CA together with root CA back to the host.
Returns root CA and IPA CA paths on the host.
"""
test_dir = host.config.test_dir
# Get IPA CSR as bytes
ipa_csr = host.get_file_contents(csr_name)
external_ca = ExternalCA()
# Create root CA
root_ca = external_ca.create_ca()
# Sign CSR
ipa_ca = external_ca.sign_csr(ipa_csr)
root_ca_fname = os.path.join(test_dir, root_ca_name)
ipa_ca_fname = os.path.join(test_dir, ipa_ca_name)
# Transport certificates (string > file) to master
host.put_file_contents(root_ca_fname, root_ca)
host.put_file_contents(ipa_ca_fname, ipa_ca)
return (root_ca_fname, ipa_ca_fname)
def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name):
"""
Sign ipa csr and save signed CA together with root CA back to the host.
Returns root CA and IPA CA paths on the host.
"""
test_dir = host.config.test_dir
# Get IPA CSR as bytes
ipa_csr = host.get_file_contents(csr_name)
external_ca = ExternalCA()
# Create root CA
root_ca = external_ca.create_ca()
# Sign CSR
ipa_ca = external_ca.sign_csr(ipa_csr)
root_ca_fname = os.path.join(test_dir, root_ca_name)
ipa_ca_fname = os.path.join(test_dir, ipa_ca_name)
# Transport certificates (string > file) to master
host.put_file_contents(root_ca_fname, root_ca)
host.put_file_contents(ipa_ca_fname, ipa_ca)
return (root_ca_fname, ipa_ca_fname)
def test_master_install_ca1(self):
install_server_external_ca_step1(self.master)
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname1 = tasks.create_temp_file(self.master,
directory=paths.TMP,
suffix="root_ca.crt")
ipa_ca_fname1 = tasks.create_temp_file(self.master,
directory=paths.TMP,
suffix="ipa_ca.crt")
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
external_ca = ExternalCA()
root_ca = external_ca.create_ca(cn='RootCA1')
ipa_ca = external_ca.sign_csr(ipa_csr)
self.master.put_file_contents(root_ca_fname1, root_ca)
self.master.put_file_contents(ipa_ca_fname1, ipa_ca)
# Step 2 of ipa-server-install.
install_server_external_ca_step2(self.master, ipa_ca_fname1,
root_ca_fname1)
cert_nick = "caSigningCert cert-pki-ca"
result = self.master.run_command([
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n', cert_nick
])
assert "CN=RootCA1" in result.stdout_text
def test_install_external_ca(self):
# Create root CA
external_ca = ExternalCA()
# Create root CA
root_ca = external_ca.create_ca()
root_ca_fname = os.path.join(self.master.config.test_dir, ROOT_CA)
# Transport certificates (string > file) to master
self.master.put_file_contents(root_ca_fname, root_ca)
# Install new cert
self.master.run_command(
[paths.IPA_CACERT_MANAGE, 'install', root_ca_fname])
def test_install_external_ca(self):
# Create root CA
external_ca = ExternalCA()
# Create root CA
root_ca = external_ca.create_ca()
root_ca_fname = os.path.join(self.master.config.test_dir, ROOT_CA)
# Transport certificates (string > file) to master
self.master.put_file_contents(root_ca_fname, root_ca)
# Install new cert
self.master.run_command([paths.IPA_CACERT_MANAGE, 'install',
root_ca_fname])
def test_ssh_leak(self):
"""
Integration test for https://pagure.io/SSSD/sssd/issue/3794
"""
def count_pipes():
res = self.master.run_command(['pidof', 'sssd_ssh'])
pid = res.stdout_text.strip()
proc_path = '/proc/{}/fd'.format(pid)
res = self.master.run_command(['ls', '-la', proc_path])
fds_text = res.stdout_text.strip()
return sum((1 for _ in re.finditer(r'pipe', fds_text)))
test_user = '******'
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-add', test_user,
'--first=tester', '--last=tester'])
certs = []
# we are ok with whatever certificate for this test
external_ca = ExternalCA()
for _dummy in range(3):
cert = external_ca.create_ca()
cert = tasks.strip_cert_header(cert.decode('utf-8'))
certs.append('"{}"'.format(cert))
cert_args = list(
chain.from_iterable(list(zip(repeat('--certificate'), certs))))
cmd = 'ipa user-add-cert {} {}'.format(test_user, ' '.join(cert_args))
self.master.run_command(cmd)
tasks.clear_sssd_cache(self.master)
num_of_pipes = count_pipes()
for _dummy in range(3):
self.master.run_command([paths.SSS_SSH_AUTHORIZEDKEYS, test_user])
current_num_of_pipes = count_pipes()
assert current_num_of_pipes == num_of_pipes
# cleanup
self.master.run_command(['ipa', 'user-del', test_user])
def test_ssh_leak(self):
"""
Integration test for https://pagure.io/SSSD/sssd/issue/3794
"""
def count_pipes():
res = self.master.run_command(['pidof', 'sssd_ssh'])
pid = res.stdout_text.strip()
proc_path = '/proc/{}/fd'.format(pid)
res = self.master.run_command(['ls', '-la', proc_path])
fds_text = res.stdout_text.strip()
return sum((1 for _ in re.finditer(r'pipe', fds_text)))
test_user = '******'
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-add', test_user,
'--first=tester', '--last=tester'])
certs = []
# we are ok with whatever certificate for this test
external_ca = ExternalCA()
for _dummy in range(3):
cert = external_ca.create_ca()
cert = tasks.strip_cert_header(cert.decode('utf-8'))
certs.append('"{}"'.format(cert))
cert_args = list(
chain.from_iterable(list(zip(repeat('--certificate'), certs))))
cmd = 'ipa user-add-cert {} {}'.format(test_user, ' '.join(cert_args))
self.master.run_command(cmd)
tasks.clear_sssd_cache(self.master)
num_of_pipes = count_pipes()
for _dummy in range(3):
self.master.run_command([paths.SSS_SSH_AUTHORIZEDKEYS, test_user])
current_num_of_pipes = count_pipes()
assert current_num_of_pipes == num_of_pipes
# cleanup
self.master.run_command(['ipa', 'user-del', test_user])
def test_advice_config_client_for_smart_card_auth(self):
advice_id = 'config_client_for_smart_card_auth'
advice_regex = r"\#\!\/bin\/sh.*"
run_advice(self.master, advice_id, advice_regex)
client = self.clients[0]
ca_pem = ExternalCA().create_ca()
ca_file = tasks.upload_temp_contents(client, ca_pem)
try:
self.execute_advise(client, advice_id, ca_file)
finally:
client.run_command(['rm', '-f', ca_file])
def test_master_install_ca1(self):
install_server_external_ca_step1(self.master)
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname1 = tempfile.mkdtemp(suffix='root_ca.crt', dir=paths.TMP)
ipa_ca_fname1 = tempfile.mkdtemp(suffix='ipa_ca.crt', dir=paths.TMP)
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
external_ca = ExternalCA()
root_ca = external_ca.create_ca(cn='RootCA1')
ipa_ca = external_ca.sign_csr(ipa_csr)
self.master.put_file_contents(root_ca_fname1, root_ca)
self.master.put_file_contents(ipa_ca_fname1, ipa_ca)
# Step 2 of ipa-server-install.
install_server_external_ca_step2(self.master, ipa_ca_fname1,
root_ca_fname1)
cert_nick = "caSigningCert cert-pki-ca"
result = self.master.run_command([
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
'-n', cert_nick])
assert "CN=RootCA1" in result.stdout_text
def test_master_install_ca2(self):
root_ca_fname2 = tempfile.mkdtemp(suffix='root_ca.crt', dir=paths.TMP)
ipa_ca_fname2 = tempfile.mkdtemp(suffix='ipa_ca.crt', dir=paths.TMP)
self.master.run_command([
paths.IPA_CACERT_MANAGE, 'renew', '--external-ca'])
ipa_csr = self.master.get_file_contents(paths.IPA_CA_CSR)
external_ca = ExternalCA()
root_ca = external_ca.create_ca(cn='RootCA2')
ipa_ca = external_ca.sign_csr(ipa_csr)
self.master.put_file_contents(root_ca_fname2, root_ca)
self.master.put_file_contents(ipa_ca_fname2, ipa_ca)
# Step 2 of ipa-server-install.
self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
'--external-cert-file', ipa_ca_fname2,
'--external-cert-file', root_ca_fname2])
cert_nick = "caSigningCert cert-pki-ca"
result = self.master.run_command([
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
'-n', cert_nick])
assert "CN=RootCA2" in result.stdout_text
def test_advice_config_server_for_smart_card_auth(self):
advice_id = 'config_server_for_smart_card_auth'
advice_regex = r"\#\!\/bin\/sh.*"
run_advice(self.master, advice_id, advice_regex)
ca_pem = ExternalCA().create_ca()
ca_file = tasks.upload_temp_contents(self.master, ca_pem)
try:
self.execute_advise(self.master, advice_id, ca_file)
except Exception:
# debug: sometimes ipa-certupdate times out in
# "Resubmitting certmonger request"
self.master.run_command(['getcert', 'list'])
raise
finally:
self.master.run_command(['rm', '-f', ca_file])
sssd_conf = self.master.get_file_contents(paths.SSSD_CONF,
encoding='utf-8')
assert constants.HTTPD_USER in sssd_conf
assert IPAAPI_USER in sssd_conf
