def test_certs_mismatch(self, mock_certdb): """ Ensure mismatches are detected""" fake_conn = LDAPClient('ldap://localhost', no_schema=True) pkidbentry = LDAPEntry( fake_conn, DN('uid=pkidbuser,ou=people,o=ipaca'), userCertificate=[IPACertificate(serial_number=2)], subjectName=['test']) casignentry = LDAPEntry(fake_conn, DN('cn=%s IPA CA' % m_api.env.realm, 'cn=certificates,cn=ipa,cn=etc', m_api.env.basedn), CACertificate=[IPACertificate()], userCertificate=[IPACertificate()], subjectName=['test']) ldap_entries = [pkidbentry, casignentry] trust = { 'ocspSigningCert cert-pki-ca': 'u,u,u', 'caSigningCert cert-pki-ca': 'u,u,u', 'subsystemCert cert-pki-ca': 'u,u,u', 'auditSigningCert cert-pki-ca': 'u,u,Pu', 'Server-Cert cert-pki-ca': 'u,u,u', 'transportCert cert-pki-kra': 'u,u,u', 'storageCert cert-pki-kra': 'u,u,u', 'auditSigningCert cert-pki-kra': 'u,u,Pu', } dogtag_entries_subjects = ( 'CN=OCSP Subsystem,O=%s' % m_api.env.realm, 'CN=CA Subsystem,O=%s' % m_api.env.realm, 'CN=CA Audit,O=%s' % m_api.env.realm, 'CN=%s,O=%s' % (m_api.env.host, m_api.env.realm), 'CN=KRA Transport Certificate,O=%s' % m_api.env.realm, 'CN=KRA Storage Certificate,O=%s' % m_api.env.realm, 'CN=KRA Audit,O=%s' % m_api.env.realm, ) for i, subject in enumerate(dogtag_entries_subjects): entry = LDAPEntry(fake_conn, DN('cn=%i,ou=certificateRepository' % i, 'ou=ca,o=ipaca'), userCertificate=[IPACertificate()], subjectName=[subject]) ldap_entries.append(entry) mock_certdb.return_value = mock_CertDB(trust) framework = object() registry.initialize(framework, config.Config()) f = IPADogtagCertsMatchCheck(registry) f.conn = mock_ldap(ldap_entries) self.results = capture_results(f) assert len(self.results) == 3 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPADogtagCertsMatchCheck'
def test_member_ok(self): agent_dn = DN(('fqdn', m_api.env.host), m_api.env.container_host, m_api.env.basedn) group_dn = DN(('cn', 'adtrust agents'), m_api.env.container_sysaccounts, m_api.env.basedn) attrs = { 'memberof': [group_dn], } fake_conn = LDAPClient('ldap://localhost', no_schema=True) ldapentry = LDAPEntry(fake_conn, agent_dn) for attr, values in attrs.items(): ldapentry[attr] = values framework = object() registry.initialize(framework) registry.trust_agent = True f = IPATrustAgentMemberCheck(registry) f.conn = mock_ldap(ldapentry) f.config = config.Config() self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.trust' assert result.check == 'IPATrustAgentMemberCheck' assert result.kw.get('key') == m_api.env.host
def test_kra_agent_nonmatching_cert(self): cert2 = IPACertificate(2) attrs = dict( description=['2;1;CN=ISSUER;CN=RA AGENT'], usercertificate=[cert2], ) fake_conn = LDAPClient('ldap://localhost', no_schema=True) ldapentry = LDAPEntry(fake_conn, DN('uid=ipakra,ou=people,o=kra,o=ipaca')) for attr, values in attrs.items(): ldapentry[attr] = values framework = object() registry.initialize(framework, config.Config()) f = IPAKRAAgent(registry) f.conn = mock_ldap([ldapentry]) self.results = capture_results(f) result = self.results.results[0] assert result.result == constants.ERROR assert result.kw.get('certfile') == paths.RA_AGENT_PEM assert result.kw.get('dn') == 'uid=ipakra,ou=people,o=kra,o=ipaca'
def test_certs_mismatch(self, mock_certdb): """ Ensure mismatches are detected""" m_api.Command.config_show.side_effect = default_subject_base fake_conn = LDAPClient('ldap://localhost', no_schema=True) pkidbentry = LDAPEntry( fake_conn, DN('uid=pkidbuser,ou=people,o=ipaca'), userCertificate=[IPACertificate(serial_number=2)], subjectName=['test']) casignentry = LDAPEntry(fake_conn, DN('cn=%s IPA CA' % m_api.env.realm, 'cn=certificates,cn=ipa,cn=etc', m_api.env.basedn), CACertificate=[IPACertificate()], userCertificate=[IPACertificate()], subjectName=['test']) ldap_entries = [pkidbentry, casignentry] dogtag_entries_subjects = self.get_dogtag_subjects( m_api.env.host, default_subject_base) for i, subject in enumerate(dogtag_entries_subjects): entry = LDAPEntry(fake_conn, DN('cn=%i,ou=certificateRepository' % i, 'ou=ca,o=ipaca'), userCertificate=[IPACertificate()], subjectName=[subject]) ldap_entries.append(entry) mock_certdb.return_value = mock_CertDB(self.trust) framework = object() registry.initialize(framework, config.Config()) f = IPADogtagCertsMatchCheck(registry) f.conn = mock_ldap(ldap_entries) self.results = capture_results(f) assert len(self.results) == 3 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPADogtagCertsMatchCheck'
def test_etc_cacert_mismatch(self, mock_certdb, mock_load_cert): """ Test mismatch with /etc/ipa/ca.crt """ fake_conn = LDAPClient('ldap://localhost', no_schema=True) cacertentry = LDAPEntry(fake_conn, DN('cn=%s IPA CA' % m_api.env.realm, 'cn=certificates,cn=ipa,cn=etc', m_api.env.basedn), CACertificate=[IPACertificate()]) mock_certdb.return_value = mock_CertDB(self.trust) mock_load_cert.return_value = [IPACertificate(serial_number=2)] framework = object() registry.initialize(framework, config.Config()) f = IPACertMatchCheck(registry) f.conn = mock_ldap([cacertentry]) self.results = capture_results(f) assert len(self.results) == 3 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertMatchCheck'
def test_certs_match_ok(self, mock_certdb, mock_load_cert): """ Ensure match check is ok""" fake_conn = LDAPClient('ldap://localhost', no_schema=True) cacertentry = LDAPEntry(fake_conn, DN('cn=%s IPA CA' % m_api.env.realm, 'cn=certificates,cn=ipa,cn=etc', m_api.env.basedn), CACertificate=[IPACertificate()]) mock_certdb.return_value = mock_CertDB(self.trust) mock_load_cert.return_value = [IPACertificate()] framework = object() registry.initialize(framework, config.Config()) f = IPACertMatchCheck(registry) f.conn = mock_ldap([cacertentry]) self.results = capture_results(f) assert len(self.results) == 3 for result in self.results.results: assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertMatchCheck'