def test_master_install_ca2(self): root_ca_fname2 = tempfile.mkdtemp(suffix='root_ca.crt', dir=paths.TMP) ipa_ca_fname2 = tempfile.mkdtemp(suffix='ipa_ca.crt', dir=paths.TMP) self.master.run_command( [paths.IPA_CACERT_MANAGE, 'renew', '--external-ca']) ipa_csr = self.master.get_file_contents(paths.IPA_CA_CSR) external_ca = ExternalCA() root_ca = external_ca.create_ca(cn='RootCA2') ipa_ca = external_ca.sign_csr(ipa_csr) self.master.put_file_contents(root_ca_fname2, root_ca) self.master.put_file_contents(ipa_ca_fname2, ipa_ca) # Step 2 of ipa-server-install. self.master.run_command([ paths.IPA_CACERT_MANAGE, 'renew', '--external-cert-file', ipa_ca_fname2, '--external-cert-file', root_ca_fname2 ]) cert_nick = "caSigningCert cert-pki-ca" result = self.master.run_command([ 'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n', cert_nick ]) assert "CN=RootCA2" in result.stdout_text
def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name): """ Sign ipa csr and save signed CA together with root CA back to the host. Returns root CA and IPA CA paths on the host. """ test_dir = host.config.test_dir # Get IPA CSR as bytes ipa_csr = host.get_file_contents(csr_name) external_ca = ExternalCA() # Create root CA root_ca = external_ca.create_ca() # Sign CSR ipa_ca = external_ca.sign_csr(ipa_csr) root_ca_fname = os.path.join(test_dir, root_ca_name) ipa_ca_fname = os.path.join(test_dir, ipa_ca_name) # Transport certificates (string > file) to master host.put_file_contents(root_ca_fname, root_ca) host.put_file_contents(ipa_ca_fname, ipa_ca) return (root_ca_fname, ipa_ca_fname)
def test_master_install_ca1(self): install_server_external_ca_step1(self.master) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname1 = tasks.create_temp_file(self.master, directory=paths.TMP, suffix="root_ca.crt") ipa_ca_fname1 = tasks.create_temp_file(self.master, directory=paths.TMP, suffix="ipa_ca.crt") ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR) external_ca = ExternalCA() root_ca = external_ca.create_ca(cn='RootCA1') ipa_ca = external_ca.sign_csr(ipa_csr) self.master.put_file_contents(root_ca_fname1, root_ca) self.master.put_file_contents(ipa_ca_fname1, ipa_ca) # Step 2 of ipa-server-install. install_server_external_ca_step2(self.master, ipa_ca_fname1, root_ca_fname1) cert_nick = "caSigningCert cert-pki-ca" result = self.master.run_command([ 'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n', cert_nick ]) assert "CN=RootCA1" in result.stdout_text
def test_install_external_ca(self): # Create root CA external_ca = ExternalCA() # Create root CA root_ca = external_ca.create_ca() root_ca_fname = os.path.join(self.master.config.test_dir, ROOT_CA) # Transport certificates (string > file) to master self.master.put_file_contents(root_ca_fname, root_ca) # Install new cert self.master.run_command( [paths.IPA_CACERT_MANAGE, 'install', root_ca_fname])
def test_install_external_ca(self): # Create root CA external_ca = ExternalCA() # Create root CA root_ca = external_ca.create_ca() root_ca_fname = os.path.join(self.master.config.test_dir, ROOT_CA) # Transport certificates (string > file) to master self.master.put_file_contents(root_ca_fname, root_ca) # Install new cert self.master.run_command([paths.IPA_CACERT_MANAGE, 'install', root_ca_fname])
def test_ssh_leak(self): """ Integration test for https://pagure.io/SSSD/sssd/issue/3794 """ def count_pipes(): res = self.master.run_command(['pidof', 'sssd_ssh']) pid = res.stdout_text.strip() proc_path = '/proc/{}/fd'.format(pid) res = self.master.run_command(['ls', '-la', proc_path]) fds_text = res.stdout_text.strip() return sum((1 for _ in re.finditer(r'pipe', fds_text))) test_user = '******' tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'user-add', test_user, '--first=tester', '--last=tester']) certs = [] # we are ok with whatever certificate for this test external_ca = ExternalCA() for _dummy in range(3): cert = external_ca.create_ca() cert = tasks.strip_cert_header(cert.decode('utf-8')) certs.append('"{}"'.format(cert)) cert_args = list( chain.from_iterable(list(zip(repeat('--certificate'), certs)))) cmd = 'ipa user-add-cert {} {}'.format(test_user, ' '.join(cert_args)) self.master.run_command(cmd) tasks.clear_sssd_cache(self.master) num_of_pipes = count_pipes() for _dummy in range(3): self.master.run_command([paths.SSS_SSH_AUTHORIZEDKEYS, test_user]) current_num_of_pipes = count_pipes() assert current_num_of_pipes == num_of_pipes # cleanup self.master.run_command(['ipa', 'user-del', test_user])
def test_master_install_ca1(self): install_server_external_ca_step1(self.master) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname1 = tempfile.mkdtemp(suffix='root_ca.crt', dir=paths.TMP) ipa_ca_fname1 = tempfile.mkdtemp(suffix='ipa_ca.crt', dir=paths.TMP) ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR) external_ca = ExternalCA() root_ca = external_ca.create_ca(cn='RootCA1') ipa_ca = external_ca.sign_csr(ipa_csr) self.master.put_file_contents(root_ca_fname1, root_ca) self.master.put_file_contents(ipa_ca_fname1, ipa_ca) # Step 2 of ipa-server-install. install_server_external_ca_step2(self.master, ipa_ca_fname1, root_ca_fname1) cert_nick = "caSigningCert cert-pki-ca" result = self.master.run_command([ 'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n', cert_nick]) assert "CN=RootCA1" in result.stdout_text
def test_master_install_ca2(self): root_ca_fname2 = tempfile.mkdtemp(suffix='root_ca.crt', dir=paths.TMP) ipa_ca_fname2 = tempfile.mkdtemp(suffix='ipa_ca.crt', dir=paths.TMP) self.master.run_command([ paths.IPA_CACERT_MANAGE, 'renew', '--external-ca']) ipa_csr = self.master.get_file_contents(paths.IPA_CA_CSR) external_ca = ExternalCA() root_ca = external_ca.create_ca(cn='RootCA2') ipa_ca = external_ca.sign_csr(ipa_csr) self.master.put_file_contents(root_ca_fname2, root_ca) self.master.put_file_contents(ipa_ca_fname2, ipa_ca) # Step 2 of ipa-server-install. self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew', '--external-cert-file', ipa_ca_fname2, '--external-cert-file', root_ca_fname2]) cert_nick = "caSigningCert cert-pki-ca" result = self.master.run_command([ 'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n', cert_nick]) assert "CN=RootCA2" in result.stdout_text