def test_sub_ca_key_replication(self):
master = self.master
replica = self.replicas[0]
result = master.run_command(
['ipa', 'ca-add', self.SUBCA, '--subject', self.SUBCA_CN])
uuid = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
auth_id_re = re.compile('Authority ID: ({})'.format(uuid),
re.IGNORECASE)
auth_id = "".join(re.findall(auth_id_re, result.stdout_text))
cert_nick = '{} {}'.format(IPA_CA_NICKNAME, auth_id)
# give replication some time
time.sleep(30)
replica.run_command(['ipa-certupdate'])
replica.run_command(['ipa', 'ca-show', self.SUBCA])
tasks.run_certutil(replica, ['-L', '-n', cert_nick],
paths.PKI_TOMCAT_ALIAS_DIR)
pki_debug_log = replica.get_file_contents(self.PKI_DEBUG_PATH,
encoding='utf-8')
# check for cert/key import error message
assert self.ERR_MESS not in pki_debug_log
def test_sub_ca_key_replication(self):
master = self.master
replica = self.replicas[0]
result = master.run_command(['ipa', 'ca-add', self.SUBCA, '--subject',
self.SUBCA_CN])
uuid = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
auth_id_re = re.compile('Authority ID: ({})'.format(uuid),
re.IGNORECASE)
auth_id = "".join(re.findall(auth_id_re, result.stdout_text))
cert_nick = '{} {}'.format(IPA_CA_NICKNAME, auth_id)
# give replication some time
time.sleep(30)
replica.run_command(['ipa-certupdate'])
replica.run_command(['ipa', 'ca-show', self.SUBCA])
tasks.run_certutil(replica, ['-L', '-n', cert_nick],
paths.PKI_TOMCAT_ALIAS_DIR)
pki_log_filename = ("{path}.{date}.log"
.format(path=self.PKI_DEBUG_PATH,
date=time.strftime("%Y-%m-%d")))
pki_debug_log = replica.get_file_contents(pki_log_filename,
encoding='utf-8')
# check for cert/key import error message
assert self.ERR_MESS not in pki_debug_log
def check_subca(self, host, name, cert_nick):
host.run_command(['ipa', 'ca-show', name])
tasks.run_certutil(host, ['-L', '-n', cert_nick],
paths.PKI_TOMCAT_ALIAS_DIR)
host.run_command([
paths.CERTUTIL, '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-f',
paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT, '-K', '-n', cert_nick
])
def get_certinfo(self, host):
result = tasks.run_certutil(
host, ['-L', '-f', paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT],
paths.PKI_TOMCAT_ALIAS_DIR)
certs = {}
for line in result.stdout_text.splitlines():
mo = certdb.CERT_RE.match(line)
if mo:
certs[mo.group('nick')] = mo.group('flags')
result = tasks.run_certutil(
host, ['-K', '-f', paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT],
paths.PKI_TOMCAT_ALIAS_DIR)
keys = {}
for line in result.stdout_text.splitlines():
mo = certdb.KEY_RE.match(line)
if mo:
keys[mo.group('nick')] = mo.group('keyid')
return certs, keys
def install(cls, mh):
super(TestCertsInIDOverrides, cls).install(mh)
cls.ad = config.ad_domains[0].ads[0]
cls.ad_domain = cls.ad.domain.name
cls.aduser = "******" % cls.ad_domain
master = cls.master
# A setup for test_dbus_user_lookup
master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
raiseonerr=False)
# The tasks.modify_sssd_conf way did not work because
# sssd_domain.set_option knows nothing about 'services' parameter of
# the sssd config file. Therefore I am using sed approach
master.run_command(
"sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF)
master.run_command(
"sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False)
master.run_command(['systemctl', 'restart', 'sssd.service'])
# End of setup for test_dbus_user_lookup
# AD-related stuff
tasks.install_adtrust(master)
tasks.sync_time(master, cls.ad)
tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
extra_args=['--range-type',
'ipa-ad-trust'])
cls.reqdir = os.path.join(master.config.test_dir, "certs")
cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
cls.pwname = os.path.join(cls.reqdir, "pwd")
# Create a NSS database folder
master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
# Create an empty password file
master.run_command(["touch", cls.pwname], raiseonerr=False)
# Initialize NSS database
tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
# Now generate self-signed certs for a windows user
stdin_text = string.digits+string.ascii_letters[2:] + '\n'
tasks.run_certutil(master, ['-S', '-s',
"cn=%s,dc=ad,dc=test" % cls.adcert1, '-n',
cls.adcert1, '-x', '-t', 'CT,C,C', '-v',
'120', '-m', '1234'],
cls.reqdir, stdin=stdin_text)
tasks.run_certutil(master, ['-S', '-s',
"cn=%s,dc=ad,dc=test" % cls.adcert2, '-n',
cls.adcert2, '-x', '-t', 'CT,C,C', '-v',
'120', '-m', '1234'],
cls.reqdir, stdin=stdin_text)
# Export the previously generated cert
tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>',
cls.adcert1_file], cls.reqdir)
tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>',
cls.adcert2_file], cls.reqdir)
cls.cert1_base64 = cls.master.run_command(
"openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert1_file
).stdout_text
cls.cert2_base64 = cls.master.run_command(
"openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert2_file
).stdout_text
cls.cert1_pem = cls.master.run_command(
"openssl x509 -in %s -outform pem" % cls.adcert1_file
).stdout_text
cls.cert2_pem = cls.master.run_command(
"openssl x509 -in %s -outform pem" % cls.adcert2_file
).stdout_text
def test_installclient_as_user_admin(self):
"""ipa-client-install should not use hardcoded admin for principal
In ipaclient-install.log it should use the username that was entered
earlier in the install process at the prompt.
Related to : https://pagure.io/freeipa/issue/5406
"""
client = self.clients[0]
tasks.install_master(self.master)
tasks.kinit_admin(self.master)
username = '******'
password = '******'
password_confirmation = "%s\n%s\n" % (password, password)
self.master.run_command([
'ipa', 'user-add', username, '--first', username, '--last',
username, '--password'
],
stdin_text=password_confirmation)
role_add = ['ipa', 'role-add', 'useradmin']
self.master.run_command(role_add)
self.master.run_command(['ipa', 'privilege-add', 'Add Hosts'])
self.master.run_command([
'ipa', 'privilege-add-permission', '--permissions',
'System: Add Hosts', 'Add Hosts'
])
self.master.run_command([
'ipa', 'role-add-privilege', 'useradmin', '--privileges',
'Host Enrollment'
])
self.master.run_command([
'ipa', 'role-add-privilege', 'useradmin', '--privileges',
'Add Hosts'
])
role_member_add = [
'ipa', 'role-add-member', 'useradmin',
'--users={}'.format(username)
]
self.master.run_command(role_member_add)
user_kinit = "%s\n%s\n%s\n" % (password, password, password)
self.master.run_command(['kinit', username], stdin_text=user_kinit)
tasks.install_client(self.master,
client,
extra_args=['--request-cert'],
user=username,
password=password)
msg = "args=['/usr/bin/getent', 'passwd', '%s@%s']" % \
(username, client.domain.name)
install_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG,
encoding='utf-8')
assert msg in install_log
# check that user is able to request a host cert, too
result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
assert 'Local IPA host' in result.stdout_text
result = tasks.run_certutil(client,
['-K', '-f', paths.IPA_NSSDB_PWDFILE_TXT],
paths.IPA_NSSDB_DIR)
assert 'Local IPA host' in result.stdout_text
def install(cls, mh):
super(TestCertsInIDOverrides, cls).install(mh)
cls.ad = config.ad_domains[0].ads[0]
cls.ad_domain = cls.ad.domain.name
cls.aduser = "******" % cls.ad_domain
master = cls.master
# A setup for test_dbus_user_lookup
master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
raiseonerr=False)
# The tasks.modify_sssd_conf way did not work because
# sssd_domain.set_option knows nothing about 'services' parameter of
# the sssd config file. Therefore I am using sed approach
master.run_command("sed -i '/^services/ s/$/, ifp/' %s" %
paths.SSSD_CONF)
master.run_command("sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF,
raiseonerr=False)
master.run_command(['systemctl', 'restart', 'sssd.service'])
# End of setup for test_dbus_user_lookup
# AD-related stuff
tasks.install_adtrust(master)
tasks.sync_time(master, cls.ad)
tasks.establish_trust_with_ad(
cls.master,
cls.ad_domain,
extra_args=['--range-type', 'ipa-ad-trust'])
cls.reqdir = os.path.join(master.config.test_dir, "certs")
cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
cls.pwname = os.path.join(cls.reqdir, "pwd")
# Create a NSS database folder
master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
# Create an empty password file
master.run_command(["touch", cls.pwname], raiseonerr=False)
# Initialize NSS database
tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
# Now generate self-signed certs for a windows user
stdin_text = string.digits + string.ascii_letters[2:] + '\n'
tasks.run_certutil(master, [
'-S', '-s',
"cn=%s,dc=ad,dc=test" % cls.adcert1, '-n', cls.adcert1, '-x', '-t',
'CT,C,C', '-v', '120', '-m', '1234'
],
cls.reqdir,
stdin=stdin_text)
tasks.run_certutil(master, [
'-S', '-s',
"cn=%s,dc=ad,dc=test" % cls.adcert2, '-n', cls.adcert2, '-x', '-t',
'CT,C,C', '-v', '120', '-m', '1234'
],
cls.reqdir,
stdin=stdin_text)
# Export the previously generated cert
tasks.run_certutil(
master, ['-L', '-n', cls.adcert1, '-a', '>', cls.adcert1_file],
cls.reqdir)
tasks.run_certutil(
master, ['-L', '-n', cls.adcert2, '-a', '>', cls.adcert2_file],
cls.reqdir)
cls.cert1_base64 = cls.master.run_command(
"openssl x509 -outform der -in %s | base64 -w 0" %
cls.adcert1_file).stdout_text
cls.cert2_base64 = cls.master.run_command(
"openssl x509 -outform der -in %s | base64 -w 0" %
cls.adcert2_file).stdout_text
cls.cert1_pem = cls.master.run_command(
"openssl x509 -in %s -outform pem" % cls.adcert1_file).stdout_text
cls.cert2_pem = cls.master.run_command(
"openssl x509 -in %s -outform pem" % cls.adcert2_file).stdout_text