def setup(self): self.reqdir = tempfile.mkdtemp(prefix="tmp-") self.reqfile = self.reqdir + "/test.csr" self.pwname = self.reqdir + "/pwd" self.certfile = self.reqdir + "/cert.crt" # Create an empty password file with open(self.pwname, "w") as fp: fp.write("\n") # Create our temporary NSS database self.run_certutil(["-N", "-f", self.pwname]) self.subject = DN(('CN', self.host_fqdn), x509.subject_base())
def setup(self): self.reqdir = tempfile.mkdtemp(prefix = "tmp-") self.reqfile = self.reqdir + "/test.csr" self.pwname = self.reqdir + "/pwd" # Create an empty password file fp = open(self.pwname, "w") fp.write("\n") fp.close() # Create our temporary NSS database self.run_certutil(["-N", "-f", self.pwname]) self.subject = DN(('CN', self.host_fqdn), x509.subject_base())
def test_update_simple(self, host): host.update(dict(description=u'Updated host 1', usercertificate=get_testcert()), expected_updates=dict( description=[u'Updated host 1'], usercertificate=[base64.b64decode(get_testcert())], issuer=fuzzy_issuer, md5_fingerprint=fuzzy_hash, serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, subject=DN(('CN', api.env.host), x509.subject_base()), valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, )) host.retrieve()
def test_update_simple(self, host): host.update(dict( description=u'Updated host 1', usercertificate=get_testcert()), expected_updates=dict( description=[u'Updated host 1'], usercertificate=[base64.b64decode(get_testcert())], issuer=fuzzy_issuer, md5_fingerprint=fuzzy_hash, serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, sha1_fingerprint=fuzzy_hash, subject=DN(('CN', api.env.host), x509.subject_base()), valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, )) host.retrieve()
def setUp(self): if 'cert_request' not in api.Command: raise nose.SkipTest('cert_request not registered') if not ipautil.file_exists(api.env.dot_ipa + os.sep + 'alias' + os.sep + '.pwd'): raise nose.SkipTest('developer self-signed CA not configured') super(test_cert, self).setUp() self.reqdir = tempfile.mkdtemp(prefix = "tmp-") self.reqfile = self.reqdir + "/test.csr" self.pwname = self.reqdir + "/pwd" # Create an empty password file fp = open(self.pwname, "w") fp.write("\n") fp.close() # Create our temporary NSS database self.run_certutil(["-N", "-f", self.pwname]) self.subject = DN(('CN', self.host_fqdn), x509.subject_base())
def renew_external_step_2(self, ca, old_cert): print("Importing the renewed CA certificate, please wait") options = self.options conn = api.Backend.ldap2 cert_file, ca_file = installutils.load_external_cert( options.external_cert_files, x509.subject_base()) nss_cert = None nss.nss_init(paths.PKI_TOMCAT_ALIAS_DIR) try: nss_cert = x509.load_certificate(old_cert, x509.DER) subject = nss_cert.subject der_subject = x509.get_der_subject(old_cert, x509.DER) #pylint: disable=E1101 pkinfo = nss_cert.subject_public_key_info.format() #pylint: enable=E1101 nss_cert = x509.load_certificate_from_file(cert_file.name) cert = nss_cert.der_data if nss_cert.subject != subject: raise admintool.ScriptError( "Subject name mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") if x509.get_der_subject(cert, x509.DER) != der_subject: raise admintool.ScriptError( "Subject name encoding mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") #pylint: disable=E1101 if nss_cert.subject_public_key_info.format() != pkinfo: raise admintool.ScriptError( "Subject public key info mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") #pylint: enable=E1101 finally: del nss_cert nss.nss_shutdown() with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(old_cert, 'IPA CA', 'C,,') try: tmpdb.add_cert(cert, 'IPA CA', 'C,,') except ipautil.CalledProcessError as e: raise admintool.ScriptError( "Not compatible with the current CA certificate: %s" % e) ca_certs = x509.load_certificate_list_from_file(ca_file.name) for ca_cert in ca_certs: tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,') del ca_certs del ca_cert try: tmpdb.verify_ca_cert_validity('IPA CA') except ValueError as e: raise admintool.ScriptError( "Not a valid CA certificate: %s (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)" % e) trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1] for nickname in trust_chain: try: ca_cert = tmpdb.get_cert(nickname) except RuntimeError: break certstore.put_ca_cert_nss( conn, api.env.basedn, ca_cert, nickname, ',,') dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) try: entry = conn.get_entry(dn, ['usercertificate']) entry['usercertificate'] = [cert] conn.update_entry(entry) except errors.NotFound: entry = conn.make_entry( dn, objectclass=['top', 'pkiuser', 'nscontainer'], cn=[self.cert_nickname], usercertificate=[cert]) conn.add_entry(entry) except errors.EmptyModlist: pass try: ca.set_renewal_master() except errors.NotFound: raise admintool.ScriptError("CA renewal master not found") self.resubmit_request(ca, 'ipaRetrieval') print("CA certificate successfully renewed")
def renew_external_step_2(self, ca, old_cert): print("Importing the renewed CA certificate, please wait") options = self.options conn = api.Backend.ldap2 cert_file, ca_file = installutils.load_external_cert( options.external_cert_files, x509.subject_base()) nss_cert = None nss.nss_init(paths.PKI_TOMCAT_ALIAS_DIR) try: nss_cert = x509.load_certificate(old_cert, x509.DER) subject = nss_cert.subject der_subject = x509.get_der_subject(old_cert, x509.DER) #pylint: disable=E1101 pkinfo = nss_cert.subject_public_key_info.format() #pylint: enable=E1101 nss_cert = x509.load_certificate_from_file(cert_file.name) cert = nss_cert.der_data if nss_cert.subject != subject: raise admintool.ScriptError( "Subject name mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") if x509.get_der_subject(cert, x509.DER) != der_subject: raise admintool.ScriptError( "Subject name encoding mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") #pylint: disable=E1101 if nss_cert.subject_public_key_info.format() != pkinfo: raise admintool.ScriptError( "Subject public key info mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") #pylint: enable=E1101 finally: del nss_cert nss.nss_shutdown() with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(old_cert, 'IPA CA', 'C,,') try: tmpdb.add_cert(cert, 'IPA CA', 'C,,') except ipautil.CalledProcessError as e: raise admintool.ScriptError( "Not compatible with the current CA certificate: %s" % e) ca_certs = x509.load_certificate_list_from_file(ca_file.name) for ca_cert in ca_certs: tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,') del ca_certs del ca_cert try: tmpdb.verify_ca_cert_validity('IPA CA') except ValueError as e: raise admintool.ScriptError( "Not a valid CA certificate: %s (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)" % e) trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1] for nickname in trust_chain: try: ca_cert = tmpdb.get_cert(nickname) except RuntimeError: break certstore.put_ca_cert_nss(conn, api.env.basedn, ca_cert, nickname, ',,') dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) try: entry = conn.get_entry(dn, ['usercertificate']) entry['usercertificate'] = [cert] conn.update_entry(entry) except errors.NotFound: entry = conn.make_entry( dn, objectclass=['top', 'pkiuser', 'nscontainer'], cn=[self.cert_nickname], usercertificate=[cert]) conn.add_entry(entry) except errors.EmptyModlist: pass try: ca.set_renewal_master() except errors.NotFound: raise admintool.ScriptError("CA renewal master not found") self.resubmit_request(ca, 'ipaRetrieval') print("CA certificate successfully renewed")
ipv6_fromip_ptr_dn = DN(('idnsname', ipv6_fromip_ptr), revipv6zone_dn) sshpubkey = u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6XHBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGIwA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNmcSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM019Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF0L public key test' sshpubkeyfp = u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE public key test (ssh-rsa)' user1 = u'tuser1' user2 = u'tuser2' group1 = u'group1' group1_dn = get_group_dn(group1) group2 = u'group2' group2_dn = get_group_dn(group2) hostgroup1 = u'testhostgroup1' hostgroup1_dn = DN(('cn', hostgroup1), ('cn', 'hostgroups'), ('cn', 'accounts'), api.env.basedn) host_cert = get_testcert(DN(('CN', api.env.host), x509.subject_base()), 'host/%s@%s' % (api.env.host, api.env.realm)) @pytest.fixture(scope='class') def host(request): tracker = HostTracker(name=u'testhost1') return tracker.make_fixture(request) @pytest.fixture(scope='class') def host2(request): tracker = HostTracker(name=u'testhost2') return tracker.make_fixture(request)
def renew_external_step_2(self, ca, old_cert_der): print("Importing the renewed CA certificate, please wait") options = self.options conn = api.Backend.ldap2 cert_file, ca_file = installutils.load_external_cert( options.external_cert_files, x509.subject_base()) old_cert_obj = x509.load_certificate(old_cert_der, x509.DER) old_der_subject = x509.get_der_subject(old_cert_der, x509.DER) old_spki = old_cert_obj.public_key().public_bytes( serialization.Encoding.DER, serialization.PublicFormat.SubjectPublicKeyInfo ) with open(cert_file.name) as f: new_cert_data = f.read() new_cert_der = x509.normalize_certificate(new_cert_data) new_cert_obj = x509.load_certificate(new_cert_der, x509.DER) new_der_subject = x509.get_der_subject(new_cert_der, x509.DER) new_spki = new_cert_obj.public_key().public_bytes( serialization.Encoding.DER, serialization.PublicFormat.SubjectPublicKeyInfo ) if new_cert_obj.subject != old_cert_obj.subject: raise admintool.ScriptError( "Subject name mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") if new_der_subject != old_der_subject: raise admintool.ScriptError( "Subject name encoding mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") if new_spki != old_spki: raise admintool.ScriptError( "Subject public key info mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(old_cert_der, 'IPA CA', 'C,,') try: tmpdb.add_cert(new_cert_der, 'IPA CA', 'C,,') except ipautil.CalledProcessError as e: raise admintool.ScriptError( "Not compatible with the current CA certificate: %s" % e) ca_certs = x509.load_certificate_list_from_file(ca_file.name) for ca_cert in ca_certs: data = ca_cert.public_bytes(serialization.Encoding.DER) tmpdb.add_cert(data, str(DN(ca_cert.subject)), 'C,,') try: tmpdb.verify_ca_cert_validity('IPA CA') except ValueError as e: raise admintool.ScriptError( "Not a valid CA certificate: %s (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)" % e) trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1] for nickname in trust_chain: try: ca_cert = tmpdb.get_cert(nickname) except RuntimeError: break certstore.put_ca_cert_nss( conn, api.env.basedn, ca_cert, nickname, ',,') dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) try: entry = conn.get_entry(dn, ['usercertificate']) entry['usercertificate'] = [new_cert_der] conn.update_entry(entry) except errors.NotFound: entry = conn.make_entry( dn, objectclass=['top', 'pkiuser', 'nscontainer'], cn=[self.cert_nickname], usercertificate=[new_cert_der]) conn.add_entry(entry) except errors.EmptyModlist: pass try: ca.set_renewal_master() except errors.NotFound: raise admintool.ScriptError("CA renewal master not found") self.resubmit_request(ca, 'ipaRetrieval') print("CA certificate successfully renewed")
def renew_external_step_2(self, ca, old_cert_der): print("Importing the renewed CA certificate, please wait") options = self.options conn = api.Backend.ldap2 cert_file, ca_file = installutils.load_external_cert( options.external_cert_files, x509.subject_base()) old_cert_obj = x509.load_certificate(old_cert_der, x509.DER) old_der_subject = x509.get_der_subject(old_cert_der, x509.DER) old_spki = old_cert_obj.public_key().public_bytes( serialization.Encoding.DER, serialization.PublicFormat.SubjectPublicKeyInfo) with open(cert_file.name) as f: new_cert_data = f.read() new_cert_der = x509.normalize_certificate(new_cert_data) new_cert_obj = x509.load_certificate(new_cert_der, x509.DER) new_der_subject = x509.get_der_subject(new_cert_der, x509.DER) new_spki = new_cert_obj.public_key().public_bytes( serialization.Encoding.DER, serialization.PublicFormat.SubjectPublicKeyInfo) if new_cert_obj.subject != old_cert_obj.subject: raise admintool.ScriptError( "Subject name mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") if new_der_subject != old_der_subject: raise admintool.ScriptError( "Subject name encoding mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") if new_spki != old_spki: raise admintool.ScriptError( "Subject public key info mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(old_cert_der, 'IPA CA', 'C,,') try: tmpdb.add_cert(new_cert_der, 'IPA CA', 'C,,') except ipautil.CalledProcessError as e: raise admintool.ScriptError( "Not compatible with the current CA certificate: %s" % e) ca_certs = x509.load_certificate_list_from_file(ca_file.name) for ca_cert in ca_certs: data = ca_cert.public_bytes(serialization.Encoding.DER) tmpdb.add_cert(data, str(DN(ca_cert.subject)), 'C,,') try: tmpdb.verify_ca_cert_validity('IPA CA') except ValueError as e: raise admintool.ScriptError( "Not a valid CA certificate: %s (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)" % e) trust_chain = tmpdb.get_trust_chain('IPA CA')[:-1] for nickname in trust_chain: try: ca_cert = tmpdb.get_cert(nickname) except RuntimeError: break certstore.put_ca_cert_nss(conn, api.env.basedn, ca_cert, nickname, ',,') dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) try: entry = conn.get_entry(dn, ['usercertificate']) entry['usercertificate'] = [new_cert_der] conn.update_entry(entry) except errors.NotFound: entry = conn.make_entry( dn, objectclass=['top', 'pkiuser', 'nscontainer'], cn=[self.cert_nickname], usercertificate=[new_cert_der]) conn.add_entry(entry) except errors.EmptyModlist: pass try: ca.set_renewal_master() except errors.NotFound: raise admintool.ScriptError("CA renewal master not found") self.resubmit_request(ca, 'ipaRetrieval') print("CA certificate successfully renewed")
def renew_external_step_2(self, ca, old_cert): print "Importing the renewed CA certificate, please wait" options = self.options cert_file, ca_file = installutils.load_external_cert( options.external_cert_files, x509.subject_base()) nss_cert = None nss.nss_init(ca.dogtag_constants.ALIAS_DIR) try: nss_cert = x509.load_certificate(old_cert, x509.DER) subject = nss_cert.subject der_subject = x509.get_der_subject(old_cert, x509.DER) #pylint: disable=E1101 pkinfo = nss_cert.subject_public_key_info.format() #pylint: enable=E1101 nss_cert = x509.load_certificate_from_file(cert_file.name) cert = nss_cert.der_data if nss_cert.subject != subject: raise admintool.ScriptError( "Subject name mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") if x509.get_der_subject(cert, x509.DER) != der_subject: raise admintool.ScriptError( "Subject name encoding mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") #pylint: disable=E1101 if nss_cert.subject_public_key_info.format() != pkinfo: raise admintool.ScriptError( "Subject public key info mismatch (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)") #pylint: enable=E1101 finally: del nss_cert nss.nss_shutdown() with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(old_cert, 'IPA CA', 'C,,') try: tmpdb.add_cert(cert, 'IPA CA', 'C,,') except ipautil.CalledProcessError, e: raise admintool.ScriptError( "Not compatible with the current CA certificate: %s" % e) ca_certs = x509.load_certificate_list_from_file(ca_file.name) for ca_cert in ca_certs: tmpdb.add_cert(ca_cert.der_data, str(ca_cert.subject), 'C,,') del ca_certs del ca_cert try: tmpdb.verify_ca_cert_validity('IPA CA') except ValueError, e: raise admintool.ScriptError( "Not a valid CA certificate: %s (visit " "http://www.freeipa.org/page/Troubleshooting for " "troubleshooting guide)" % e)
class test_host(Declarative): cleanup_commands = [ ('host_del', [fqdn1], {}), ('host_del', [fqdn2], {}), ('host_del', [fqdn3], {}), ('host_del', [fqdn4], {}), ('service_del', [service1], {}), ] tests = [ dict( desc='Try to retrieve non-existent %r' % fqdn1, command=('host_show', [fqdn1], {}), expected=errors.NotFound(reason=u'%s: host not found' % fqdn1), ), dict( desc='Try to update non-existent %r' % fqdn1, command=('host_mod', [fqdn1], dict(description=u'Nope')), expected=errors.NotFound(reason=u'%s: host not found' % fqdn1), ), dict( desc='Try to delete non-existent %r' % fqdn1, command=('host_del', [fqdn1], {}), expected=errors.NotFound(reason=u'%s: host not found' % fqdn1), ), dict( desc='Create %r' % fqdn1, command=( 'host_add', [fqdn1], dict( description=u'Test host 1', l=u'Undisclosed location 1', force=True, ), ), expected=dict( value=fqdn1, summary=u'Added host "%s"' % fqdn1, result=dict( dn=dn1, fqdn=[fqdn1], description=[u'Test host 1'], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[fqdn1], has_keytab=False, has_password=False, ), ), ), dict( desc='Try to create duplicate %r' % fqdn1, command=( 'host_add', [fqdn1], dict( description=u'Test host 1', l=u'Undisclosed location 1', force=True, ), ), expected=errors.DuplicateEntry(message=u'host with name ' + u'"%s" already exists' % fqdn1), ), dict( desc='Retrieve %r' % fqdn1, command=('host_show', [fqdn1], {}), expected=dict( value=fqdn1, summary=None, result=dict( dn=dn1, fqdn=[fqdn1], description=[u'Test host 1'], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], has_keytab=False, has_password=False, managedby_host=[fqdn1], ), ), ), dict( desc='Retrieve %r with all=True' % fqdn1, command=('host_show', [fqdn1], dict(all=True)), expected=dict( value=fqdn1, summary=None, result=dict( dn=dn1, cn=[fqdn1], fqdn=[fqdn1], description=[u'Test host 1'], # FIXME: Why is 'localalityname' returned as 'l' with --all? # It is intuitive for --all to return additional attributes, # but not to return existing attributes under different # names. l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], serverhostname=[u'testhost1'], objectclass=objectclasses.host, managedby_host=[fqdn1], managing_host=[fqdn1], ipauniqueid=[fuzzy_uuid], has_keytab=False, has_password=False, ), ), ), dict( desc='Search for %r' % fqdn1, command=('host_find', [fqdn1], {}), expected=dict( count=1, truncated=False, summary=u'1 host matched', result=[ dict( dn=dn1, fqdn=[fqdn1], description=[u'Test host 1'], l=[u'Undisclosed location 1'], krbprincipalname=[ u'host/%s@%s' % (fqdn1, api.env.realm) ], managedby_host=[u'%s' % fqdn1], has_keytab=False, has_password=False, ), ], ), ), dict( desc='Search for %r with all=True' % fqdn1, command=('host_find', [fqdn1], dict(all=True)), expected=dict( count=1, truncated=False, summary=u'1 host matched', result=[ dict( dn=dn1, cn=[fqdn1], fqdn=[fqdn1], description=[u'Test host 1'], # FIXME: Why is 'localalityname' returned as 'l' with --all? # It is intuitive for --all to return additional attributes, # but not to return existing attributes under different # names. l=[u'Undisclosed location 1'], krbprincipalname=[ u'host/%s@%s' % (fqdn1, api.env.realm) ], serverhostname=[u'testhost1'], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn1], managing_host=[u'%s' % fqdn1], has_keytab=False, has_password=False, ), ], ), ), dict( desc='Update %r' % fqdn1, command=('host_mod', [fqdn1], dict(description=u'Updated host 1', usercertificate=servercert)), expected=dict( value=fqdn1, summary=u'Modified host "%s"' % fqdn1, result=dict( description=[u'Updated host 1'], fqdn=[fqdn1], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[u'%s' % fqdn1], usercertificate=[base64.b64decode(servercert)], valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, subject=DN(('CN', api.env.host), x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, has_keytab=False, has_password=False, ), ), ), dict( desc='Retrieve %r to verify update' % fqdn1, command=('host_show', [fqdn1], {}), expected=dict( value=fqdn1, summary=None, result=dict( dn=dn1, fqdn=[fqdn1], description=[u'Updated host 1'], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], has_keytab=False, has_password=False, managedby_host=[u'%s' % fqdn1], usercertificate=[base64.b64decode(servercert)], valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, subject=DN(('CN', api.env.host), x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), ), dict( desc='Create %r' % fqdn3, command=( 'host_add', [fqdn3], dict( description=u'Test host 2', l=u'Undisclosed location 2', force=True, ), ), expected=dict( value=fqdn3, summary=u'Added host "%s"' % fqdn3, result=dict( dn=dn3, fqdn=[fqdn3], description=[u'Test host 2'], l=[u'Undisclosed location 2'], krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn3], has_keytab=False, has_password=False, ), ), ), dict( desc='Create %r' % fqdn4, command=( 'host_add', [fqdn4], dict( description=u'Test host 4', l=u'Undisclosed location 4', force=True, ), ), expected=dict( value=fqdn4, summary=u'Added host "%s"' % fqdn4, result=dict( dn=dn4, fqdn=[fqdn4], description=[u'Test host 4'], l=[u'Undisclosed location 4'], krbprincipalname=[u'host/%s@%s' % (fqdn4, api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn4], has_keytab=False, has_password=False, ), ), ), dict( desc='Add managedby_host %r to %r' % (fqdn1, fqdn3), command=( 'host_add_managedby', [fqdn3], dict(host=u'%s' % fqdn1, ), ), expected=dict( completed=1, failed=dict(managedby=dict(host=tuple(), ), ), result=dict( dn=dn3, fqdn=[fqdn3], description=[u'Test host 2'], l=[u'Undisclosed location 2'], krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)], managedby_host=[u'%s' % fqdn3, u'%s' % fqdn1], ), ), ), dict( desc='Retrieve %r' % fqdn3, command=('host_show', [fqdn3], {}), expected=dict( value=fqdn3, summary=None, result=dict( dn=dn3, fqdn=[fqdn3], description=[u'Test host 2'], l=[u'Undisclosed location 2'], krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)], has_keytab=False, has_password=False, managedby_host=[u'%s' % fqdn3, u'%s' % fqdn1], ), ), ), dict( desc='Search for hosts with --man-hosts and --not-man-hosts', command=('host_find', [], { 'man_host': fqdn3, 'not_man_host': fqdn1 }), expected=dict( count=1, truncated=False, summary=u'1 host matched', result=[ dict( dn=dn3, fqdn=[fqdn3], description=[u'Test host 2'], l=[u'Undisclosed location 2'], krbprincipalname=[ u'host/%s@%s' % (fqdn3, api.env.realm) ], has_keytab=False, has_password=False, managedby_host=[u'%s' % fqdn3, u'%s' % fqdn1], ), ], ), ), dict( desc='Try to search for hosts with --man-hosts', command=('host_find', [], { 'man_host': [fqdn3, fqdn4] }), expected=dict( count=0, truncated=False, summary=u'0 hosts matched', result=[], ), ), dict( desc='Remove managedby_host %r from %r' % (fqdn1, fqdn3), command=( 'host_remove_managedby', [fqdn3], dict(host=u'%s' % fqdn1, ), ), expected=dict( completed=1, failed=dict(managedby=dict(host=tuple(), ), ), result=dict( dn=dn3, fqdn=[fqdn3], description=[u'Test host 2'], l=[u'Undisclosed location 2'], krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)], managedby_host=[u'%s' % fqdn3], ), ), ), dict( desc='Show a host with multiple matches %s' % short3, command=('host_show', [short3], {}), expected=errors.SingleMatchExpected(found=2), ), dict(desc='Try to rename %r' % fqdn1, command=('host_mod', [fqdn1], dict(setattr=u'fqdn=changed.example.com')), expected=errors.NotAllowedOnRDN()), dict( desc='Add MAC address to %r' % fqdn1, command=('host_mod', [fqdn1], dict(macaddress=u'00:50:56:30:F6:5F')), expected=dict( value=fqdn1, summary=u'Modified host "%s"' % fqdn1, result=dict( description=[u'Updated host 1'], fqdn=[fqdn1], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[u'%s' % fqdn1], usercertificate=[base64.b64decode(servercert)], valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, subject=DN(('CN', api.env.host), x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, macaddress=[u'00:50:56:30:F6:5F'], issuer=fuzzy_issuer, has_keytab=False, has_password=False, ), ), ), dict( desc='Add another MAC address to %r' % fqdn1, command=('host_mod', [ fqdn1 ], dict(macaddress=[u'00:50:56:30:F6:5F', u'00:50:56:2C:8D:82'])), expected=dict( value=fqdn1, summary=u'Modified host "%s"' % fqdn1, result=dict( description=[u'Updated host 1'], fqdn=[fqdn1], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[u'%s' % fqdn1], usercertificate=[base64.b64decode(servercert)], valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, subject=DN(('CN', api.env.host), x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, macaddress=[u'00:50:56:30:F6:5F', u'00:50:56:2C:8D:82'], issuer=fuzzy_issuer, has_keytab=False, has_password=False, ), ), ), dict( desc='Add an illegal MAC address to %r' % fqdn1, command=('host_mod', [fqdn1], dict(macaddress=[u'xx'])), expected=errors.ValidationError( name='macaddress', error=u'Must be of the form HH:HH:HH:HH:HH:HH, where ' + u'each H is a hexadecimal character.'), ), dict( desc='Add SSH public key to %r' % fqdn1, command=('host_mod', [fqdn1], dict(ipasshpubkey=[sshpubkey])), expected=dict( value=fqdn1, summary=u'Modified host "%s"' % fqdn1, result=dict( description=[u'Updated host 1'], fqdn=[fqdn1], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[u'%s' % fqdn1], usercertificate=[base64.b64decode(servercert)], valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, subject=DN(('CN', api.env.host), x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, macaddress=[u'00:50:56:30:F6:5F', u'00:50:56:2C:8D:82'], ipasshpubkey=[sshpubkey], sshpubkeyfp=[sshpubkeyfp], has_keytab=False, has_password=False, ), ), ), dict( desc='Add an illegal SSH public key to %r' % fqdn1, command=('host_mod', [fqdn1], dict(ipasshpubkey=[u'no-pty %s' % sshpubkey])), expected=errors.ValidationError(name='sshpubkey', error=u'options are not allowed'), ), dict( desc='Delete %r' % fqdn1, command=('host_del', [fqdn1], {}), expected=dict( value=fqdn1, summary=u'Deleted host "%s"' % fqdn1, result=dict(failed=u''), ), ), dict( desc='Try to retrieve non-existent %r' % fqdn1, command=('host_show', [fqdn1], {}), expected=errors.NotFound(reason=u'%s: host not found' % fqdn1), ), dict( desc='Try to update non-existent %r' % fqdn1, command=('host_mod', [fqdn1], dict(description=u'Nope')), expected=errors.NotFound(reason=u'%s: host not found' % fqdn1), ), dict( desc='Try to delete non-existent %r' % fqdn1, command=('host_del', [fqdn1], {}), expected=errors.NotFound(reason=u'%s: host not found' % fqdn1), ), # Test deletion using a non-fully-qualified hostname. Services # associated with this host should also be removed. dict( desc='Re-create %r' % fqdn1, command=( 'host_add', [fqdn1], dict( description=u'Test host 1', l=u'Undisclosed location 1', force=True, ), ), expected=dict( value=fqdn1, summary=u'Added host "%s"' % fqdn1, result=dict( dn=dn1, fqdn=[fqdn1], description=[u'Test host 1'], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn1], has_keytab=False, has_password=False, ), ), ), dict( desc='Add a service to host %r' % fqdn1, command=('service_add', [service1], { 'force': True }), expected=dict( value=service1, summary=u'Added service "%s"' % service1, result=dict( dn=service1dn, krbprincipalname=[service1], objectclass=objectclasses.service, managedby_host=[fqdn1], ipauniqueid=[fuzzy_uuid], ), ), ), dict( desc='Delete using host name %r' % short1, command=('host_del', [short1], {}), expected=dict( value=short1, summary=u'Deleted host "%s"' % short1, result=dict(failed=u''), ), ), dict( desc='Search for services for %r' % fqdn1, command=('service_find', [fqdn1], {}), expected=dict( count=0, truncated=False, summary=u'0 services matched', result=[], ), ), dict( desc='Try to add host not in DNS %r without force' % fqdn2, command=('host_add', [fqdn2], {}), expected=errors.DNSNotARecordError( reason=u'Host does not have corresponding DNS A record'), ), dict( desc='Try to add host not in DNS %r with force' % fqdn2, command=( 'host_add', [fqdn2], dict( description=u'Test host 2', l=u'Undisclosed location 2', userclass=[u'webserver', u'mailserver'], force=True, ), ), expected=dict( value=fqdn2, summary=u'Added host "%s"' % fqdn2, result=dict( dn=dn2, fqdn=[fqdn2], description=[u'Test host 2'], l=[u'Undisclosed location 2'], krbprincipalname=[u'host/%s@%s' % (fqdn2, api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[fqdn2], userclass=[u'webserver', u'mailserver'], has_keytab=False, has_password=False, ), ), ), dict( desc='Retrieve %r' % fqdn2, command=('host_show', [fqdn2], {}), expected=dict( value=fqdn2, summary=None, result=dict( dn=dn2, fqdn=[fqdn2], description=[u'Test host 2'], l=[u'Undisclosed location 2'], krbprincipalname=[u'host/%s@%s' % (fqdn2, api.env.realm)], has_keytab=False, has_password=False, managedby_host=[fqdn2], userclass=[u'webserver', u'mailserver'], ), ), ), # This test will only succeed when running against lite-server.py # on same box as IPA install. dict( desc='Delete the current host (master?) %s should be caught' % api.env.host, command=('host_del', [api.env.host], {}), expected=errors.ValidationError( name='hostname', error=u'An IPA master host cannot be deleted or disabled'), ), dict( desc='Disable the current host (master?) %s should be caught' % api.env.host, command=('host_disable', [api.env.host], {}), expected=errors.ValidationError( name='hostname', error=u'An IPA master host cannot be deleted or disabled'), ), dict( desc='Test that validation is enabled on adds', command=('host_add', [invalidfqdn1], {}), expected=errors.ValidationError( name='hostname', error=u'invalid domain-name: only letters, numbers, and - ' + u'are allowed. DNS label may not start or end with -'), ), # The assumption on these next 4 tests is that if we don't get a # validation error then the request was processed normally. dict( desc='Test that validation is disabled on mods', command=('host_mod', [invalidfqdn1], {}), expected=errors.NotFound(reason=u'%s: host not found' % invalidfqdn1), ), dict( desc='Test that validation is disabled on deletes', command=('host_del', [invalidfqdn1], {}), expected=errors.NotFound(reason=u'%s: host not found' % invalidfqdn1), ), dict( desc='Test that validation is disabled on show', command=('host_show', [invalidfqdn1], {}), expected=errors.NotFound(reason=u'%s: host not found' % invalidfqdn1), ), dict( desc='Test that validation is disabled on find', command=('host_find', [invalidfqdn1], {}), expected=dict( count=0, truncated=False, summary=u'0 hosts matched', result=[], ), ), dict( desc='Add managedby_host %r to %r' % (fqdn3, fqdn4), command=( 'host_add_managedby', [fqdn4], dict(host=fqdn3, ), ), expected=dict( completed=1, failed=dict(managedby=dict(host=tuple(), ), ), result=dict( dn=dn4, fqdn=[fqdn4], description=[u'Test host 4'], l=[u'Undisclosed location 4'], krbprincipalname=[u'host/%s@%s' % (fqdn4, api.env.realm)], managedby_host=[fqdn4, fqdn3], ), ), ), dict( desc='Delete %r' % fqdn3, command=('host_del', [fqdn3], {}), expected=dict( value=fqdn3, summary=u'Deleted host "%s"' % fqdn3, result=dict(failed=u''), ), ), dict( desc='Retrieve %r to verify that %r is gone from managedBy' % (fqdn4, fqdn3), command=('host_show', [fqdn4], {}), expected=dict( value=fqdn4, summary=None, result=dict( dn=dn4, fqdn=[fqdn4], description=[u'Test host 4'], l=[u'Undisclosed location 4'], krbprincipalname=[u'host/%s@%s' % (fqdn4, api.env.realm)], has_keytab=False, has_password=False, managedby_host=[fqdn4], ), ), ), ]
fqdn1 = u"testhost1.%s" % api.env.domain fqdn2 = u"testhost2.%s" % api.env.domain fqdn3 = u"TestHost3.%s" % api.env.domain service1_no_realm = u"HTTP/%s" % fqdn1 service1 = u"%s@%s" % (service1_no_realm, api.env.realm) hostprincipal1 = u"host/%s@%s" % (fqdn1, api.env.realm) service1dn = DN(("krbprincipalname", service1), ("cn", "services"), ("cn", "accounts"), api.env.basedn) host1dn = DN(("fqdn", fqdn1), ("cn", "computers"), ("cn", "accounts"), api.env.basedn) host2dn = DN(("fqdn", fqdn2), ("cn", "computers"), ("cn", "accounts"), api.env.basedn) host3dn = DN(("fqdn", fqdn3), ("cn", "computers"), ("cn", "accounts"), api.env.basedn) role1 = u"Test Role" role1_dn = DN(("cn", role1), api.env.container_rolegroup, api.env.basedn) servercert = get_testcert( DN(("CN", api.env.host), x509.subject_base()), "unittest/%s@%s" % (api.env.host, api.env.realm) ) randomissuercert = ( "MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3Q" "gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1" "owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqh" "kiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXD" "uqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHY" "d+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f" "0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61" "lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pe" "kiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgU" "gMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd" "9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0Wy" "DGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv" )
ipv6_fromip_ptr_dnsname = DNSName(ipv6_fromip_ptr) ipv6_fromip_ptr_dn = DN(("idnsname", ipv6_fromip_ptr), revipv6zone_dn) sshpubkey = u"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6XHBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGIwA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNmcSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM019Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF0L public key test" sshpubkeyfp = u"13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B public key test (ssh-rsa)" user1 = u"tuser1" user2 = u"tuser2" group1 = u"group1" group1_dn = get_group_dn(group1) group2 = u"group2" group2_dn = get_group_dn(group2) hostgroup1 = u"testhostgroup1" hostgroup1_dn = DN(("cn", hostgroup1), ("cn", "hostgroups"), ("cn", "accounts"), api.env.basedn) host_cert = get_testcert(DN(("CN", api.env.host), x509.subject_base()), "host/%s@%s" % (api.env.host, api.env.realm)) class HostTracker(Tracker): """Wraps and tracks modifications to a Host object Implements the helper functions for host plugin. The HostTracker object stores information about the host, e.g. ``fqdn`` and ``dn``. """ retrieve_keys = { "dn", "fqdn", "description",
fqdn1 = u'testhost1.%s' % api.env.domain fqdn2 = u'testhost2.%s' % api.env.domain fqdn3 = u'TestHost3.%s' % api.env.domain service1_no_realm = u'HTTP/%s' % fqdn1 service1 = u'%s@%s' % (service1_no_realm, api.env.realm) hostprincipal1 = u'host/%s@%s' % (fqdn1, api.env.realm) service1dn = DN(('krbprincipalname',service1),('cn','services'),('cn','accounts'),api.env.basedn) host1dn = DN(('fqdn',fqdn1),('cn','computers'),('cn','accounts'),api.env.basedn) host2dn = DN(('fqdn',fqdn2),('cn','computers'),('cn','accounts'),api.env.basedn) host3dn = DN(('fqdn',fqdn3),('cn','computers'),('cn','accounts'),api.env.basedn) role1 = u'Test Role' role1_dn = DN(('cn', role1), api.env.container_rolegroup, api.env.basedn) servercert= get_testcert(DN(('CN', api.env.host), x509.subject_base()), 'unittest/%s@%s' % (api.env.host, api.env.realm)) badservercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv' user1 = u'tuser1' user2 = u'tuser2' group1 = u'group1' group1_dn = get_group_dn(group1) group2 = u'group2' group2_dn = get_group_dn(group2) hostgroup1 = u'testhostgroup1' hostgroup1_dn = DN(('cn',hostgroup1),('cn','hostgroups'),('cn','accounts'), api.env.basedn) @pytest.mark.tier1
class test_service(Declarative): cleanup_commands = [ ('host_del', [fqdn1], {}), ('host_del', [fqdn2], {}), ('host_del', [fqdn3], {}), ('service_del', [service1], {}), ] tests = [ dict( desc='Try to retrieve non-existent %r' % service1, command=('service_show', [service1], {}), expected=errors.NotFound(reason=u'%s: service not found' % service1), ), dict( desc='Try to update non-existent %r' % service1, command=('service_mod', [service1], dict(usercertificate=get_testcert())), expected=errors.NotFound(reason=u'%s: service not found' % service1), ), dict( desc='Try to delete non-existent %r' % service1, command=('service_del', [service1], {}), expected=errors.NotFound(reason=u'%s: service not found' % service1), ), dict( desc='Create %r' % fqdn1, command=( 'host_add', [fqdn1], dict( description=u'Test host 1', l=u'Undisclosed location 1', force=True, ), ), expected=dict( value=fqdn1, summary=u'Added host "%s"' % fqdn1, result=dict( dn=host1dn, fqdn=[fqdn1], description=[u'Test host 1'], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn1], has_keytab=False, has_password=False, ), ), ), dict( desc='Create %r' % fqdn2, command=( 'host_add', [fqdn2], dict( description=u'Test host 2', l=u'Undisclosed location 2', force=True, ), ), expected=dict( value=fqdn2, summary=u'Added host "%s"' % fqdn2, result=dict( dn=host2dn, fqdn=[fqdn2], description=[u'Test host 2'], l=[u'Undisclosed location 2'], krbprincipalname=[u'host/%s@%s' % (fqdn2, api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn2], has_keytab=False, has_password=False, ), ), ), dict( desc='Create %r' % fqdn3, command=( 'host_add', [fqdn3], dict( description=u'Test host 3', l=u'Undisclosed location 3', force=True, ), ), expected=dict( value=fqdn3.lower(), summary=u'Added host "%s"' % fqdn3.lower(), result=dict( dn=host3dn, fqdn=[fqdn3.lower()], description=[u'Test host 3'], l=[u'Undisclosed location 3'], krbprincipalname=[ u'host/%s@%s' % (fqdn3.lower(), api.env.realm) ], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn3.lower()], has_keytab=False, has_password=False, ), ), ), dict( desc='Create %r' % service1, command=( 'service_add', [service1], dict(force=True, ), ), expected=dict( value=service1, summary=u'Added service "%s"' % service1, result=dict( dn=service1dn, krbprincipalname=[service1], objectclass=objectclasses.service, ipauniqueid=[fuzzy_uuid], managedby_host=[fqdn1], ), ), ), dict( desc='Try to create duplicate %r' % service1, command=( 'service_add', [service1], dict(force=True, ), ), expected=errors.DuplicateEntry( message=u'service with name "%s" already exists' % service1), ), dict( desc='Retrieve %r' % service1, command=('service_show', [service1], {}), expected=dict( value=service1, summary=None, result=dict( dn=service1dn, krbprincipalname=[service1], has_keytab=False, managedby_host=[fqdn1], ), ), ), dict( desc='Retrieve %r with all=True' % service1, command=('service_show', [service1], dict(all=True)), expected=dict( value=service1, summary=None, result=dict( dn=service1dn, krbprincipalname=[service1], ipakrbprincipalalias=[service1], objectclass=objectclasses.service, ipauniqueid=[fuzzy_uuid], managedby_host=[fqdn1], has_keytab=False, ipakrbrequirespreauth=True, ipakrbokasdelegate=False, ), ), ), dict( desc='Search for %r' % service1, command=('service_find', [service1], {}), expected=dict( count=1, truncated=False, summary=u'1 service matched', result=[ dict( dn=service1dn, krbprincipalname=[service1], managedby_host=[fqdn1], has_keytab=False, ), ], ), ), dict( desc='Search for %r with all=True' % service1, command=('service_find', [service1], dict(all=True)), expected=dict( count=1, truncated=False, summary=u'1 service matched', result=[ dict( dn=service1dn, krbprincipalname=[service1], ipakrbprincipalalias=[service1], objectclass=objectclasses.service, ipauniqueid=[fuzzy_uuid], has_keytab=False, managedby_host=[fqdn1], ipakrbrequirespreauth=True, ipakrbokasdelegate=False, ), ], ), ), dict( desc='Add non-existent host to %r' % service1, command=('service_add_host', [service1], dict(host=u'notfound')), expected=dict( failed=dict(managedby=dict(host=[(u'notfound', u'no such entry')])), completed=0, result=dict( dn=service1dn, krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Remove non-existent host from %r' % service1, command=('service_remove_host', [service1], dict(host=u'notfound')), expected=dict( failed=dict(managedby=dict( host=[(u'notfound', u'This entry is not a member')])), completed=0, result=dict( dn=service1dn, krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Add host to %r' % service1, command=('service_add_host', [service1], dict(host=fqdn2)), expected=dict( failed=dict(managedby=dict(host=[])), completed=1, result=dict( dn=service1dn, krbprincipalname=[service1], managedby_host=[fqdn1, fqdn2], ), ), ), dict( desc='Remove host from %r' % service1, command=('service_remove_host', [service1], dict(host=fqdn2)), expected=dict( failed=dict(managedby=dict(host=[])), completed=1, result=dict( dn=service1dn, krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Add mixed-case host to %r' % service1, command=('service_add_host', [service1], dict(host=fqdn3)), expected=dict( failed=dict(managedby=dict(host=[])), completed=1, result=dict( dn=service1dn, krbprincipalname=[service1], managedby_host=[fqdn1, fqdn3.lower()], ), ), ), dict( desc='Remove mixed-case host from %r' % service1, command=('service_remove_host', [service1], dict(host=fqdn3)), expected=dict( failed=dict(managedby=dict(host=[])), completed=1, result=dict( dn=service1dn, krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Update %r with a bad certificate' % service1, command=('service_mod', [service1], dict(usercertificate=badservercert)), expected=errors.CertificateOperationError( error=u'Issuer "CN=IPA Test Certificate Authority" does not ' + u'match the expected issuer'), ), dict( desc='Update %r' % service1, command=('service_mod', [service1], dict(usercertificate=get_testcert())), expected=dict( value=service1, summary=u'Modified service "%s"' % service1, result=dict( usercertificate=[base64.b64decode(get_testcert())], krbprincipalname=[service1], managedby_host=[fqdn1], valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, subject=DN(('CN', api.env.host), x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), ), dict(desc='Try to update %r with invalid ipakrbauthz data ' 'combination' % service1, command=('service_mod', [service1], dict(ipakrbauthzdata=[u'MS-PAC', u'NONE'])), expected=errors.ValidationError( name='ipakrbauthzdata', error=u'NONE value cannot be combined with other PAC types')), dict( desc='Update %r with valid ipakrbauthz data ' 'combination' % service1, command=('service_mod', [service1], dict(ipakrbauthzdata=[u'MS-PAC'])), expected=dict( value=service1, summary=u'Modified service "%s"' % service1, result=dict( usercertificate=[base64.b64decode(get_testcert())], krbprincipalname=[service1], managedby_host=[fqdn1], ipakrbauthzdata=[u'MS-PAC'], valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, subject=DN(('CN', api.env.host), x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), ), dict( desc='Retrieve %r to verify update' % service1, command=('service_show', [service1], {}), expected=dict( value=service1, summary=None, result=dict( dn=service1dn, usercertificate=[base64.b64decode(get_testcert())], krbprincipalname=[service1], has_keytab=False, managedby_host=[fqdn1], ipakrbauthzdata=[u'MS-PAC'], # These values come from the servercert that is in this # test case. valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, subject=DN(('CN', api.env.host), x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, ), ), ), dict( desc='Enable %r OK_AS_DELEGATE Kerberos ticket flag' % service1, command=('service_mod', [service1], dict(ipakrbokasdelegate=True)), expected=dict( value=service1, summary=u'Modified service "%s"' % service1, result=dict( usercertificate=[base64.b64decode(get_testcert())], krbprincipalname=[service1], managedby_host=[fqdn1], ipakrbauthzdata=[u'MS-PAC'], valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, subject=DN(('CN', api.env.host), x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1048704'], ipakrbokasdelegate=True, ), ), ), dict( desc='Update %r Kerberos ticket flags with setattr' % service1, command=('service_mod', [service1], dict(setattr=[u'krbTicketFlags=1048577'])), expected=dict( value=service1, summary=u'Modified service "%s"' % service1, result=dict( usercertificate=[base64.b64decode(get_testcert())], krbprincipalname=[service1], managedby_host=[fqdn1], ipakrbauthzdata=[u'MS-PAC'], valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, subject=DN(('CN', api.env.host), x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1048577'], ), ), ), dict( desc='Disable %r OK_AS_DELEGATE Kerberos ticket flag' % service1, command=('service_mod', [service1], dict(ipakrbokasdelegate=False)), expected=dict( value=service1, summary=u'Modified service "%s"' % service1, result=dict( usercertificate=[base64.b64decode(get_testcert())], krbprincipalname=[service1], managedby_host=[fqdn1], ipakrbauthzdata=[u'MS-PAC'], valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, subject=DN(('CN', api.env.host), x509.subject_base()), serial_number=fuzzy_digits, serial_number_hex=fuzzy_hex, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, issuer=fuzzy_issuer, krbticketflags=[u'1'], ipakrbokasdelegate=False, ), ), ), dict( desc='Delete %r' % service1, command=('service_del', [service1], {}), expected=dict( value=[service1], summary=u'Deleted service "%s"' % service1, result=dict(failed=[]), ), ), dict( desc='Try to retrieve non-existent %r' % service1, command=('service_show', [service1], {}), expected=errors.NotFound(reason=u'%s: service not found' % service1), ), dict( desc='Try to update non-existent %r' % service1, command=('service_mod', [service1], dict(usercertificate=get_testcert())), expected=errors.NotFound(reason=u'%s: service not found' % service1), ), dict( desc='Try to delete non-existent %r' % service1, command=('service_del', [service1], {}), expected=errors.NotFound(reason=u'%s: service not found' % service1), ), dict(desc='Create service with malformed principal "foo"', command=('service_add', [u'foo'], {}), expected=errors.MalformedServicePrincipal( reason='missing service')), dict( desc='Create service with bad realm "HTTP/[email protected]"', command=('service_add', [u'HTTP/[email protected]'], {}), expected=errors.RealmMismatch(), ), dict(desc='Create a host service %r' % hostprincipal1, command=('service_add', [hostprincipal1], {}), expected=errors.HostService()), # These tests will only succeed when running against lite-server.py # on same box as IPA install. dict( desc= 'Delete the current host (master?) %s HTTP service, should be caught' % api.env.host, command=('service_del', ['HTTP/%s' % api.env.host], {}), expected=errors.ValidationError( name='principal', error='This principal is required by the IPA master'), ), dict( desc= 'Delete the current host (master?) %s ldap service, should be caught' % api.env.host, command=('service_del', ['ldap/%s' % api.env.host], {}), expected=errors.ValidationError( name='principal', error='This principal is required by the IPA master'), ), dict( desc= 'Disable the current host (master?) %s HTTP service, should be caught' % api.env.host, command=('service_disable', ['HTTP/%s' % api.env.host], {}), expected=errors.ValidationError( name='principal', error='This principal is required by the IPA master'), ), dict( desc= 'Disable the current host (master?) %s ldap service, should be caught' % api.env.host, command=('service_disable', ['ldap/%s' % api.env.host], {}), expected=errors.ValidationError( name='principal', error='This principal is required by the IPA master'), ), ]