def test_02_db_caconnector(self): pass # save a CA connector ca_id = save_caconnector({ "caconnector": "myCA", "type": "local", "cakey": "/opt/ca/key.pem", "cacert": "/opt/ca/cert.pem" }) self.assertTrue(ca_id > 0, ca_id) # Update the CA connector save_caconnector({ "caconnector": "myCA", "type": "local", "WorkingDir": "/opt/ca", "Password": "******", "type.Password": "******" }) # check if connector is in DB calist = get_caconnector_list() self.assertEqual(len(calist), 1) calist = get_caconnector_list(filter_caconnector_type="local") self.assertEqual(len(calist), 1) # check the config values of "myCA" self.assertEqual(calist[0].get("data").get("WorkingDir"), "/opt/ca") self.assertEqual(calist[0].get("data").get("cakey"), "/opt/ca/key.pem") # get the CA connector list without a config calist = get_caconnector_list(return_config=False) self.assertEqual(len(calist), 1) # check that there are no values self.assertEqual(calist[0].get("data"), {}) # test the CA connector: config = get_caconnector_config("myCA") self.assertEqual(config.get("WorkingDir"), "/opt/ca") self.assertEqual(config.get("cakey"), "/opt/ca/key.pem") # get_caconnector_object() ca_obj = get_caconnector_object("myCA") self.assertTrue(ca_obj.connector_type, "local") catype = get_caconnector_type("myCA") self.assertTrue(catype, "local") # delete the CA connector delete_caconnector("myCA") # check if connector is deleted from DB self.assertEqual(len(calist), 1)
def test_02a_fail_request_with_attestation(self): cwd = os.getcwd() # setup ca connector r = save_caconnector({ "cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR }) db_token = Token(self.serial2, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # A cert request will fail, since the attestation certificate does not match self.assertRaises(privacyIDEAError, token.update, { "ca": "localCA", "attestation": BOGUS_ATTESTATION, "request": REQUEST }) remove_token(self.serial2)
def test_17_enroll_certificate(self): cwd = os.getcwd() # setup ca connector r = save_caconnector({"cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR}) with self.app.test_request_context('/token/init', data={"type": "certificate", "request": REQUEST, "ca": "localCA"}, method="POST", headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data).get("result") self.assertTrue(result.get("value")) detail = json.loads(res.data).get("detail") certificate = detail.get("certificate") self.assertTrue("-----BEGIN CERTIFICATE-----" in certificate)
def test_04_create_token_on_server(self): self.setUp_user_realms() cwd = os.getcwd() # setup ca connector r = save_caconnector({"cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR}) db_token = Token(self.serial3, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # missing user self.assertRaises(ParameterError, token.update, {"ca": "localCA","genkey": 1}) token.update({"ca": "localCA", "genkey": 1, "user": "******"}) self.assertEqual(token.token.serial, self.serial3) self.assertEqual(token.token.tokentype, "certificate") self.assertEqual(token.type, "certificate") detail = token.get_init_detail() certificate = detail.get("certificate") # At each testrun, the certificate might get another serial number! x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>") # Test, if the certificate is also completely stored in the tokeninfo # and if we can retrieve it from the tokeninfo token = get_tokens(serial=self.serial3)[0] certificate = token.get_tokeninfo("certificate") x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>") privatekey = token.get_tokeninfo("privatekey") self.assertTrue(privatekey.startswith("-----BEGIN PRIVATE KEY-----")) # check for pkcs12 self.assertTrue(detail.get("pkcs12")) # revoke the token r = token.revoke() self.assertEqual(r, int_to_hex(x509obj.get_serial_number()))
def test_02_db_caconnector(self): pass # save a CA connector ca_id = save_caconnector({"caconnector": "myCA", "type": "local", "cakey": "/opt/ca/key.pem", "cacert": "/opt/ca/cert.pem"}) self.assertTrue(ca_id > 0, ca_id) # Update the CA connector save_caconnector({"caconnector": "myCA", "type": "local", "WorkingDir": "/opt/ca", "Password": "******", "type.Password": "******"}) # check if connector is in DB calist = get_caconnector_list() self.assertEqual(len(calist), 1) calist = get_caconnector_list(filter_caconnector_type="local") self.assertEqual(len(calist), 1) # check the config values of "myCA" self.assertEqual(calist[0].get("data").get("WorkingDir"), "/opt/ca") self.assertEqual(calist[0].get("data").get("cakey"), "/opt/ca/key.pem") # get the CA connector list without a config calist = get_caconnector_list(return_config=False) self.assertEqual(len(calist), 1) # check that there are no values self.assertEqual(calist[0].get("data"), {}) # test the CA connector: config = get_caconnector_config("myCA") self.assertEqual(config.get("WorkingDir"), "/opt/ca") self.assertEqual(config.get("cakey"), "/opt/ca/key.pem") # get_caconnector_object() ca_obj = get_caconnector_object("myCA") self.assertTrue(ca_obj.connector_type, "local") catype = get_caconnector_type("myCA") self.assertTrue(catype, "local") # delete the CA connector delete_caconnector("myCA") # check if connector is deleted from DB self.assertEqual(len(calist), 1)
def save_caconnector_api(name=None): """ returns a json list of the available applications """ param = request.all_data param["caconnector"] = name g.audit_object.log({"detail": u"{0!s}".format(name)}) res = save_caconnector(param) g.audit_object.log({"success": True}) return send_result(res)
def save_caconnector_api(name=None): """ returns a json list of the available applications """ param = request.all_data param["caconnector"] = name g.audit_object.log({"detail": "{0!s}".format(name)}) res = save_caconnector(param) g.audit_object.log({"success": True}) return send_result(res)
def save_caconnector_api(name=None): """ Create a new CA connector """ param = request.all_data param["caconnector"] = name g.audit_object.log({"detail": u"{0!s}".format(name)}) res = save_caconnector(param) g.audit_object.log({"success": True}) return send_result(res)
def test_02_create_token_from_request(self): cwd = os.getcwd() # setup ca connector r = save_caconnector({ "cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR }) db_token = Token(self.serial2, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # just upload a ready certificate token.update({"ca": "localCA", "request": REQUEST}) self.assertTrue(token.token.serial == self.serial2, token) self.assertTrue(token.token.tokentype == "certificate", token.token.tokentype) self.assertTrue(token.type == "certificate", token) class_prefix = token.get_class_prefix() self.assertTrue(class_prefix == "CRT", class_prefix) self.assertTrue(token.get_class_type() == "certificate", token) detail = token.get_init_detail() certificate = detail.get("certificate") # At each testrun, the certificate might get another serial number! x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual( "{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual( "{0!r}".format(x509obj.get_subject()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=requester.localdomain'>") # Test, if the certificate is also completely stored in the tokeninfo # and if we can retrieve it from the tokeninfo token = get_tokens(serial=self.serial2)[0] certificate = token.get_tokeninfo("certificate") x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual( "{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual( "{0!r}".format(x509obj.get_subject()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=requester.localdomain'>") remove_token(self.serial2)
def test_04_create_token_on_server(self): self.setUp_user_realms() cwd = os.getcwd() # setup ca connector r = save_caconnector({"cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR}) db_token = Token(self.serial3, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # missing user self.assertRaises(ParameterError, token.update, {"ca": "localCA","genkey": 1}) token.update({"ca": "localCA", "genkey": 1, "user": "******"}) self.assertEqual(token.token.serial, self.serial3) self.assertEqual(token.token.tokentype, "certificate") self.assertEqual(token.type, "certificate") detail = token.get_init_detail() certificate = detail.get("certificate") # At each testrun, the certificate might get another serial number! x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>") # Test, if the certificate is also completely stored in the tokeninfo # and if we can retrieve it from the tokeninfo token = get_tokens(serial=self.serial3)[0] certificate = token.get_tokeninfo("certificate") x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/OU=realm1/CN=cornelius/[email protected]'>") privatekey = token.get_tokeninfo("privatekey") self.assertTrue(privatekey.startswith("-----BEGIN PRIVATE KEY-----")) # check for pkcs12 self.assertTrue(detail.get("pkcs12"))
def test_04_read_ca_connector(self): with self.app.test_request_context('/caconnector/', data={}, method='GET', headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data.decode('utf8')).get("result") self.assertTrue(result["status"] is True, result) value = result["value"] self.assertEqual(len(value), 1) # create a second CA connector save_caconnector({"caconnector": "con2", "type": "local"}) with self.app.test_request_context('/caconnector/', data={}, method='GET', headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data.decode('utf8')).get("result") self.assertTrue(result["status"] is True, result) value = result["value"] self.assertEqual(len(value), 2) # Get only one destinct connector filtered by name with self.app.test_request_context('/caconnector/con1', data={}, method='GET', headers={'Authorization': self.at}): res = self.app.full_dispatch_request() self.assertTrue(res.status_code == 200, res) result = json.loads(res.data.decode('utf8')).get("result") self.assertTrue(result["status"] is True, result) value = result["value"] self.assertEqual(len(value), 1) self.assertEqual(value[0].get("connectorname"), "con1")
def test_02_create_token_from_request(self): cwd = os.getcwd() # setup ca connector r = save_caconnector({"cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR}) db_token = Token(self.serial2, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # just upload a ready certificate token.update({"ca": "localCA", "request": REQUEST}) self.assertTrue(token.token.serial == self.serial2, token) self.assertTrue(token.token.tokentype == "certificate", token.token.tokentype) self.assertTrue(token.type == "certificate", token) class_prefix = token.get_class_prefix() self.assertTrue(class_prefix == "CRT", class_prefix) self.assertTrue(token.get_class_type() == "certificate", token) detail = token.get_init_detail() certificate = detail.get("certificate") # At each testrun, the certificate might get another serial number! x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=requester.localdomain'>") # Test, if the certificate is also completely stored in the tokeninfo # and if we can retrieve it from the tokeninfo token = get_tokens(serial=self.serial2)[0] certificate = token.get_tokeninfo("certificate") x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual("{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=requester.localdomain'>")
def test_02b_success_request_with_attestation(self): cwd = os.getcwd() # setup ca connector r = save_caconnector({ "cakey": CAKEY, "cacert": CACERT, "type": "local", "caconnector": "localCA", "openssl.cnf": OPENSSLCNF, "CSRDir": "", "CertificateDir": "", "WorkingDir": cwd + "/" + WORKINGDIR }) db_token = Token(self.serial2, tokentype="certificate") db_token.save() token = CertificateTokenClass(db_token) # The cert request will success with a valid attestation certificate token.update({ "ca": "localCA", "attestation": YUBIKEY_ATTEST, "request": YUBIKEY_CSR, ACTION.TRUSTED_CA_PATH: ["tests/testdata/attestation/"] }) class_prefix = token.get_class_prefix() self.assertTrue(class_prefix == "CRT", class_prefix) self.assertTrue(token.get_class_type() == "certificate", token) detail = token.get_init_detail() certificate = detail.get("certificate") # At each testrun, the certificate might get another serial number! x509obj = crypto.load_certificate(crypto.FILETYPE_PEM, certificate) self.assertEqual( "{0!r}".format(x509obj.get_issuer()), "<X509Name object '/C=DE/ST=Hessen" "/O=privacyidea/CN=CA001'>") self.assertEqual("{0!r}".format(x509obj.get_subject()), "<X509Name object '/CN=cn=cornelius'>") remove_token(self.serial2)