def test_sign_smime_csr_full_principal(self, smime_profile, smime_user): csr = generate_user_csr(smime_user) smime_user_principal = '@'.join((smime_user, api.env.realm)) with change_principal(smime_user, SMIME_USER_PW): api.Command.cert_request(csr, principal=smime_user_principal, profile_id=smime_profile.name)
def test_sign_smime_csr(self, smime_profile, smime_user): csr = generate_user_csr(smime_user) with change_principal(smime_user, SMIME_USER_PW): with pytest.raises(errors.CertificateOperationError): api.Command.cert_request(csr, principal=smime_user, profile_id=smime_profile.name)
def test_sign_smime_csr(self, smime_profile, smime_user, smime_signing_ca): csr = generate_user_csr(smime_user) with change_principal(smime_user, SMIME_USER_PW): api.Command.cert_request(csr, principal=smime_user, profile_id=smime_profile.name, cacn=smime_signing_ca.name)
def test_signing_with_disabled_acl(self, smime_acl, smime_profile, smime_user): csr = generate_user_csr(smime_user) with change_principal(smime_user, SMIME_USER_PW): with pytest.raises(errors.ACIError): api.Command.cert_request( csr, profile_id=smime_profile.name, principal=smime_user)
def test_signing_with_disabled_acl(self, smime_acl, smime_profile, smime_user): csr = generate_user_csr(smime_user) with change_principal(smime_user, SMIME_USER_PW): with pytest.raises(errors.ACIError): api.Command.cert_request(csr, profile_id=smime_profile.name, principal=smime_user)
def test_sign_smime_csr_full_principal( self, smime_profile, smime_user, smime_signing_ca): csr = generate_user_csr(smime_user) smime_user_principal = '@'.join((smime_user, api.env.realm)) with change_principal(smime_user, SMIME_USER_PW): api.Command.cert_request(csr, principal=smime_user_principal, profile_id=smime_profile.name, cacn=smime_signing_ca.name)
def test_request_cert_with_SAN_matching_principal_alias( self, santest_subca, santest_host_1, santest_service_host_1, santest_csr): with host_keytab(santest_host_1.name) as keytab_filename: with change_principal(santest_host_1.attrs['krbcanonicalname'][0], keytab=keytab_filename): api.Command.cert_request(santest_csr, principal=santest_service_host_1.name, cacn=santest_subca.name)
def test_managed_service(self, managing_host, managed_service): """ Add a host and then add a service as a host Finally, remove the service as a host """ managing_host.ensure_exists() with host_keytab(managing_host.name) as keytab_filename: with change_principal(managing_host.attrs['krbcanonicalname'][0], keytab=keytab_filename): managed_service.create() managed_service.delete()
def test_verify_cert_issuer_dn_is_subca( self, smime_profile, smime_user, smime_signing_ca): csr = generate_user_csr(smime_user) smime_user_principal = '@'.join((smime_user, api.env.realm)) with change_principal(smime_user, SMIME_USER_PW): cert_info = api.Command.cert_request( csr, principal=smime_user_principal, profile_id=smime_profile.name, cacn=smime_signing_ca.name) assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn
def __enter__(self): self.returned = False self.value = None self.change_principal_cm = change_principal(self.user, self.password) self.change_principal_cm.__enter__() # pylint: disable=no-member if self.exception: self.assert_raises_cm = pytest.raises(self.exception) self.assert_raises_cm.__enter__() return self
def test_request_cert_with_additional_host( self, santest_subca, santest_host_1, santest_host_2, santest_service_host_1, santest_csr): with host_keytab(santest_host_1.name) as keytab_filename: with change_principal(santest_host_1.attrs['krbcanonicalname'][0], keytab=keytab_filename): api.Command.cert_request( santest_csr, principal=santest_service_host_1.name, cacn=santest_subca.name )
def test_request_cert_with_not_allowed_SAN(self, santest_subca, santest_host_1, santest_service_host_1, santest_csr): with host_keytab(santest_host_1.name) as keytab_filename: with change_principal(santest_host_1.attrs['krbcanonicalname'][0], keytab=keytab_filename): with pytest.raises(errors.NotFound): api.Command.cert_request( santest_csr, principal=santest_service_host_1.name, cacn=santest_subca.name)
def test_whoami_kerberos_services(self, krb_host, krb_service): """ Testing whoami as a kerberos service """ krb_service.ensure_exists() with get_entity_keytab(krb_service.name, '-r') as keytab: with change_principal(krb_service.attrs['krbcanonicalname'][0], keytab=keytab): result = api.Command.whoami() expected = {u'object': u'service', u'command': u'service_show/1', u'arguments': (krb_service.name,)} assert_deepequal(expected, result)
def test_request_cert_with_additional_host(self, santest_subca, santest_host_1, santest_host_2, santest_service_host_1, santest_csr): with host_keytab(santest_host_1.name) as keytab_filename: with change_principal(santest_host_1.attrs['krbcanonicalname'][0], keytab=keytab_filename): with pytest.raises(errors.ACIError): api.Command.cert_request( santest_csr, principal=santest_service_host_1.name, cacn=santest_subca.name)
def test_request_cert_with_not_allowed_SAN( self, santest_subca, santest_host_1, santest_host_2, santest_service_host_1, santest_csr): with host_keytab(santest_host_1.name) as keytab_filename: with change_principal(santest_host_1.attrs['krbcanonicalname'][0], keytab=keytab_filename): with pytest.raises(errors.ACIError): api.Command.cert_request( santest_csr, principal=santest_service_host_1.name, cacn=santest_subca.name )
def test_whoami_hosts(self, krb_host): """ Testing whoami as a host """ krb_host.ensure_exists() with host_keytab(krb_host.name) as keytab_filename: with change_principal(krb_host.attrs['krbcanonicalname'][0], keytab=keytab_filename): result = api.Command.whoami() expected = {u'object': u'host', u'command': u'host_show/1', u'arguments': (krb_host.fqdn,)} assert_deepequal(expected, result)
def test_delete(self, globalCfg, userCfg, allowDelLast, user): """ Test the deletion of the last otp token The user auth type can be defined at a global level, or per-user if the override is not disabled. Depending on the resulting setting, the deletion of last token is allowed or forbidden. """ # Save current global config result = api.Command.config_show() current_globalCfg = result.get('ipauserauthtype', None) try: # Set the global config for the test api.Command.config_mod(ipauserauthtype=globalCfg) except errors.EmptyModlist: pass try: user.ensure_exists() api.Command.user_mod(user.name, userpassword=user_password) unlock_principal_password(user.name, user_password, user_password) # Set the user config for the test api.Command.user_mod(user.name, ipauserauthtype=userCfg) # Connect as user, create and delete the token with change_principal(user.name, user_password): api.Command.otptoken_add(u'lastotp', description=u'last otp', ipatokenowner=user.name) if allowDelLast: # We are expecting the del command to succeed api.Command.otptoken_del(u'lastotp') else: # We are expecting the del command to fail with pytest.raises(errors.DatabaseError): api.Command.otptoken_del(u'lastotp') finally: # Make sure the token is removed try: api.Command.otptoken_del(u'lastotp',) except errors.NotFound: pass # Restore the previous ipauserauthtype try: api.Command.config_mod(ipauserauthtype=current_globalCfg) except errors.EmptyModlist: pass
def test_whoami_kerberos_services(self, krb_host, krb_service): """ Testing whoami as a kerberos service """ krb_service.ensure_exists() with get_entity_keytab(krb_service.name, '-r') as keytab: with change_principal(krb_service.attrs['krbcanonicalname'][0], keytab=keytab): result = api.Command.whoami() expected = { u'object': u'service', u'command': u'service_show/1', u'arguments': (krb_service.name, ) } assert_deepequal(expected, result)
def test_sign_smime_csr_fallback_to_default_CA( self, smime_profile, smime_user, smime_signing_ca): """ Attempt to sign a CSR without CA specified. The request will satisfy SMIME_ACL via the profile ID, however not specifying the CA will fallback to the IPA CA for which SMIME profile isn't enabled, thus violating ACL. """ csr = generate_user_csr(smime_user) smime_user_principal = '@'.join((smime_user, api.env.realm)) with pytest.raises(errors.ACIError): with change_principal(smime_user, SMIME_USER_PW): api.Command.cert_request(csr, principal=smime_user_principal, profile_id=smime_profile.name)
def test_whoami_hosts(self, krb_host): """ Testing whoami as a host """ krb_host.ensure_exists() with host_keytab(krb_host.name) as keytab_filename: with change_principal(krb_host.attrs['krbcanonicalname'][0], keytab=keytab_filename): result = api.Command.whoami() expected = { u'object': u'host', u'command': u'host_show/1', u'arguments': (krb_host.fqdn, ) } assert_deepequal(expected, result)
def test_authenticate_with_user_alias(self, krbalias_user): krbalias_user.ensure_exists() alias = u"{name}-alias".format(name=krbalias_user.name) krbalias_user.add_principal(alias) oldpw, newpw = u"Secret1234", u"Secret123" pwdmod = krbalias_user.make_update_command({'userpassword': oldpw}) pwdmod() unlock_principal_password(krbalias_user.name, oldpw, newpw) with change_principal(alias, newpw, canonicalize=True): api.Command.ping()
def test_sign_smime_csr_fallback_to_default_cert_profile( self, smime_profile, smime_user, smime_signing_ca): """ Attempt to sign a CSR without certificate profile specified. Similar to previous test case. By specifying only the CA to use, profile will fallback to the default caIPAserviceCert profile which is not enabled via ACL to be used with the CA, thus failing the request. """ csr = generate_user_csr(smime_user) smime_user_principal = '@'.join((smime_user, api.env.realm)) with pytest.raises(errors.ACIError): with change_principal(smime_user, SMIME_USER_PW): api.Command.cert_request(csr, principal=smime_user_principal, cacn=smime_signing_ca.name)
def test_whoami_users(self, krb_user): """ Testing whoami as user """ krb_user.ensure_exists() pwdmod = krb_user.make_update_command({'userpassword': self.oldpw}) pwdmod() unlock_principal_password(krb_user.name, self.oldpw, self.newpw) with change_principal(krb_user.name, self.newpw): result = api.Command.whoami() expected = {u'object': u'user', u'command': u'user_show/1', u'arguments': (krb_user.name,)} assert_deepequal(expected, result)
def test_issuing_service_cert_by_related_host(self, santest_subca, santest_host_1, santest_host_2, santest_service_host_1, santest_csr): # The test case alters the previous state by making # the service managed by the second host. # Then it attempts to request the certificate again api.Command['service_add_host'](santest_service_host_1.name, host=[santest_host_2.fqdn]) with host_keytab(santest_host_2.name) as keytab_filename: with change_principal(santest_host_2.attrs['krbcanonicalname'][0], keytab=keytab_filename): api.Command.cert_request(santest_csr, principal=santest_service_host_1.name, cacn=santest_subca.name)
def test_whoami_users(self, krb_user): """ Testing whoami as user """ krb_user.ensure_exists() pwdmod = krb_user.make_update_command({'userpassword': self.oldpw}) pwdmod() unlock_principal_password(krb_user.name, self.oldpw, self.newpw) with change_principal(krb_user.name, self.newpw): result = api.Command.whoami() expected = { u'object': u'user', u'command': u'user_show/1', u'arguments': (krb_user.name, ) } assert_deepequal(expected, result)
def test_issuing_service_cert_by_related_host(self, santest_subca, santest_host_1, santest_host_2, santest_service_host_1, santest_csr): # The test case alters the previous state by making # the service managed by the second host. # Then it attempts to request the certificate again api.Command['service_add_host']( santest_service_host_1.name, host=[santest_host_2.fqdn] ) with host_keytab(santest_host_2.name) as keytab_filename: with change_principal(santest_host_2.attrs['krbcanonicalname'][0], keytab=keytab_filename): api.Command.cert_request( santest_csr, principal=santest_service_host_1.name, cacn=santest_subca.name )
def test_sign_smime_csr(self, smime_profile, smime_user): csr = generate_user_csr(smime_user) with change_principal(smime_user, SMIME_USER_PW): api.Command.cert_request(csr, principal=smime_user, profile_id=smime_profile.name)