class TestCACerts(BaseTest):
patches = {
'ipaserver.install.cainstance.CAInstance':
Mock(return_value=CAInstance()),
'ipaserver.install.krainstance.KRAInstance':
Mock(return_value=KRAInstance()),
}
@patch('ipahealthcheck.dogtag.ca.get_directive')
@patch('ipaserver.install.certs.CertDB')
def test_ca_certs_ok(self, mock_certdb, mock_directive):
"""Test what should be the standard case"""
trust = {
'ocspSigningCert cert-pki-ca': 'u,u,u',
'subsystemCert cert-pki-ca': 'u,u,u',
'auditSigningCert cert-pki-ca': 'u,u,Pu',
'Server-Cert cert-pki-ca': 'u,u,u',
'caSigningCert cert-pki-ca': 'CT,C,C',
'transportCert cert-pki-kra': 'u,u,u',
}
mock_certdb.return_value = mock_CertDB(trust)
mock_directive.side_effect = [name for name, nsstrust in trust.items()]
framework = object()
registry.initialize(framework)
f = DogtagCertsConfigCheck(registry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 6
for result in self.results.results:
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConfigCheck'
@patch('ipahealthcheck.dogtag.ca.get_directive')
@patch('ipaserver.install.certs.CertDB')
def test_cert_missing_from_file(self, mock_certdb, mock_directive):
"""Test a missing certificate.
Note that if it is missing from the database then this check
will not catch the error but it will be caught elsewhere.
"""
trust = {
'ocspSigningCert cert-pki-ca': 'u,u,u',
'subsystemCert cert-pki-ca': 'u,u,u',
'auditSigningCert cert-pki-ca': 'u,u,Pu',
'Server-Cert cert-pki-ca': 'u,u,u',
'caSigningCert cert-pki-ca': 'CT,,',
'transportCert cert-pki-kra': 'u,u,u',
}
# The 3rd cert won't match the results
nicknames = [name for name, nsstrust in trust.items()]
location = nicknames.index('auditSigningCert cert-pki-ca')
nicknames[location] = 'NOT auditSigningCert cert-pki-ca'
mock_certdb.return_value = mock_CertDB(trust)
mock_directive.side_effect = nicknames
framework = object()
registry.initialize(framework)
f = DogtagCertsConfigCheck(registry)
f.config = config.Config()
self.results = capture_results(f)
num = len(self.results.results)
for r in range(0, num):
if r == 2: # skip the one that should be bad
continue
result = self.results.results[r]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConfigCheck'
result = self.results.results[2]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConfigCheck'
assert result.kw.get('key') == 'auditSigningCert cert-pki-ca'
assert len(self.results) == 6
@patch('ipaserver.install.cainstance.CAInstance')
def test_cacert_caless(self, mock_cainstance):
"""Nothing to check if the master is CALess"""
mock_cainstance.return_value = CAInstance(False)
framework = object()
registry.initialize(framework)
f = DogtagCertsConfigCheck(registry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 0
class TestIPADogtagCertMatch(BaseTest):
patches = {
'ipaserver.install.krainstance.KRAInstance':
Mock(return_value=KRAInstance()),
}
trust = {
'ocspSigningCert cert-pki-ca': 'u,u,u',
'caSigningCert cert-pki-ca': 'u,u,u',
'subsystemCert cert-pki-ca': 'u,u,u',
'auditSigningCert cert-pki-ca': 'u,u,Pu',
'Server-Cert cert-pki-ca': 'u,u,u',
'transportCert cert-pki-kra': 'u,u,u',
'storageCert cert-pki-kra': 'u,u,u',
'auditSigningCert cert-pki-kra': 'u,u,Pu',
}
def get_dogtag_subjects(self, hostname, base):
subject_base = base[0]['result']['ipacertificatesubjectbase'][0]
return (
f'CN=OCSP Subsystem,{subject_base}',
f'CN=CA Subsystem,{subject_base}',
f'CN=CA Audit,{subject_base}',
f'CN=%s,{subject_base}',
f'CN=KRA Transport Certificate,{subject_base}',
f'CN=KRA Storage Certificate,{subject_base}',
f'CN=KRA Audit,{subject_base}',
f'CN={hostname},{subject_base}',
)
@patch('ipaserver.install.certs.CertDB')
def test_certs_match_ok(self, mock_certdb):
""" Ensure match check is ok"""
m_api.Command.config_show.side_effect = default_subject_base
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
pkidbentry = LDAPEntry(fake_conn,
DN('uid=pkidbuser,ou=people,o=ipaca'),
userCertificate=[IPACertificate()],
subjectName=['test'])
casignentry = LDAPEntry(fake_conn,
DN('cn=%s IPA CA' % m_api.env.realm,
'cn=certificates,cn=ipa,cn=etc',
m_api.env.basedn),
CACertificate=[IPACertificate()],
userCertificate=[IPACertificate()],
subjectName=['test'])
ldap_entries = [pkidbentry, casignentry]
dogtag_entries_subjects = self.get_dogtag_subjects(
m_api.env.host, default_subject_base)
for i, subject in enumerate(dogtag_entries_subjects):
entry = LDAPEntry(fake_conn,
DN('cn=%i,ou=certificateRepository' % i,
'ou=ca,o=ipaca'),
userCertificate=[IPACertificate()],
subjectName=[subject])
ldap_entries.append(entry)
mock_certdb.return_value = mock_CertDB(self.trust)
framework = object()
registry.initialize(framework, config.Config())
f = IPADogtagCertsMatchCheck(registry)
f.conn = mock_ldap(ldap_entries)
self.results = capture_results(f)
assert len(self.results) == 3
for result in self.results.results:
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPADogtagCertsMatchCheck'
@patch('ipaserver.install.certs.CertDB')
def test_certs_mismatch(self, mock_certdb):
""" Ensure mismatches are detected"""
m_api.Command.config_show.side_effect = default_subject_base
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
pkidbentry = LDAPEntry(
fake_conn,
DN('uid=pkidbuser,ou=people,o=ipaca'),
userCertificate=[IPACertificate(serial_number=2)],
subjectName=['test'])
casignentry = LDAPEntry(fake_conn,
DN('cn=%s IPA CA' % m_api.env.realm,
'cn=certificates,cn=ipa,cn=etc',
m_api.env.basedn),
CACertificate=[IPACertificate()],
userCertificate=[IPACertificate()],
subjectName=['test'])
ldap_entries = [pkidbentry, casignentry]
dogtag_entries_subjects = self.get_dogtag_subjects(
m_api.env.host, default_subject_base)
for i, subject in enumerate(dogtag_entries_subjects):
entry = LDAPEntry(fake_conn,
DN('cn=%i,ou=certificateRepository' % i,
'ou=ca,o=ipaca'),
userCertificate=[IPACertificate()],
subjectName=[subject])
ldap_entries.append(entry)
mock_certdb.return_value = mock_CertDB(self.trust)
framework = object()
registry.initialize(framework, config.Config())
f = IPADogtagCertsMatchCheck(registry)
f.conn = mock_ldap(ldap_entries)
self.results = capture_results(f)
assert len(self.results) == 3
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPADogtagCertsMatchCheck'
@patch('ipaserver.install.certs.CertDB')
def test_certs_match_ok_subject(self, mock_certdb):
""" Ensure match check is ok"""
m_api.Command.config_show.side_effect = custom_subject_base
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
pkidbentry = LDAPEntry(fake_conn,
DN('uid=pkidbuser,ou=people,o=ipaca'),
userCertificate=[IPACertificate()],
subjectName=['test'])
casignentry = LDAPEntry(fake_conn,
DN('cn=%s IPA CA' % m_api.env.realm,
'cn=certificates,cn=ipa,cn=etc',
m_api.env.basedn),
CACertificate=[IPACertificate()],
userCertificate=[IPACertificate()],
subjectName=['test'])
ldap_entries = [pkidbentry, casignentry]
dogtag_entries_subjects = self.get_dogtag_subjects(
m_api.env.host, custom_subject_base)
for i, subject in enumerate(dogtag_entries_subjects):
entry = LDAPEntry(fake_conn,
DN('cn=%i,ou=certificateRepository' % i,
'ou=ca,o=ipaca'),
userCertificate=[IPACertificate()],
subjectName=[subject])
ldap_entries.append(entry)
mock_certdb.return_value = mock_CertDB(self.trust)
framework = object()
registry.initialize(framework, config.Config())
f = IPADogtagCertsMatchCheck(registry)
f.conn = mock_ldap(ldap_entries)
self.results = capture_results(f)
assert len(self.results) == 3
for result in self.results.results:
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPADogtagCertsMatchCheck'
@patch('ipaserver.install.certs.CertDB')
def test_certs_mismatch_subject(self, mock_certdb):
""" Ensure mismatches are detected"""
m_api.Command.config_show.side_effect = custom_subject_base
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
pkidbentry = LDAPEntry(
fake_conn,
DN('uid=pkidbuser,ou=people,o=ipaca'),
userCertificate=[IPACertificate(serial_number=2)],
subjectName=['test'])
casignentry = LDAPEntry(fake_conn,
DN('cn=%s IPA CA' % m_api.env.realm,
'cn=certificates,cn=ipa,cn=etc',
m_api.env.basedn),
CACertificate=[IPACertificate()],
userCertificate=[IPACertificate()],
subjectName=['test'])
ldap_entries = [pkidbentry, casignentry]
dogtag_entries_subjects = self.get_dogtag_subjects(
m_api.env.host, custom_subject_base)
for i, subject in enumerate(dogtag_entries_subjects):
entry = LDAPEntry(fake_conn,
DN('cn=%i,ou=certificateRepository' % i,
'ou=ca,o=ipaca'),
userCertificate=[IPACertificate()],
subjectName=[subject])
ldap_entries.append(entry)
mock_certdb.return_value = mock_CertDB(self.trust)
framework = object()
registry.initialize(framework, config.Config())
f = IPADogtagCertsMatchCheck(registry)
f.conn = mock_ldap(ldap_entries)
self.results = capture_results(f)
assert len(self.results) == 3
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
class TestNSSDBTrust(BaseTest):
patches = {
'ipaserver.install.cainstance.CAInstance':
Mock(return_value=CAInstance()),
'ipaserver.install.krainstance.KRAInstance':
Mock(return_value=KRAInstance(False)),
'ipapython.certdb.unparse_trust_flags':
Mock(side_effect=my_unparse_trust_flags),
}
@patch('ipaserver.install.certs.CertDB')
def test_trust_default_ok(self, mock_certdb):
"""Test what should be the standard case"""
trust = {
'ocspSigningCert cert-pki-ca': 'u,u,u',
'subsystemCert cert-pki-ca': 'u,u,u',
'auditSigningCert cert-pki-ca': 'u,u,Pu',
'Server-Cert cert-pki-ca': 'u,u,u'
}
mock_certdb.return_value = mock_CertDB(trust)
framework = object()
registry.initialize(framework, config.Config)
f = IPACertNSSTrust(registry)
self.results = capture_results(f)
assert len(self.results) == 4
for result in self.results.results:
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertNSSTrust'
assert 'cert-pki-ca' in result.kw.get('key')
@patch('ipaserver.install.certs.CertDB')
def test_trust_ocsp_missing(self, mock_certdb):
"""Test a missing certificate"""
trust = {
'subsystemCert cert-pki-ca': 'u,u,u',
'auditSigningCert cert-pki-ca': 'u,u,Pu',
'Server-Cert cert-pki-ca': 'u,u,u'
}
mock_certdb.return_value = mock_CertDB(trust)
framework = object()
registry.initialize(framework, config.Config)
f = IPACertNSSTrust(registry)
self.results = capture_results(f)
# The check reports success for those that it found and are correct and
# reports missing certs last.
num = len(self.results.results) - 2
for r in range(0, num):
result = self.results.results[r]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertNSSTrust'
assert 'cert-pki-ca' in result.kw.get('key')
result = self.results.results[-1]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertNSSTrust'
assert result.kw.get('key') == 'ocspSigningCert cert-pki-ca'
assert result.kw.get('msg') == 'Certificate ocspSigningCert ' \
'cert-pki-ca missing while verifying '\
'trust'
assert len(self.results) == 4
@patch('ipaserver.install.certs.CertDB')
def test_trust_bad(self, mock_certdb):
"""Test multiple unexpected trust flags"""
trust = {
'ocspSigningCert cert-pki-ca': 'u,u,u',
'subsystemCert cert-pki-ca': 'X,u,u',
'auditSigningCert cert-pki-ca': 'u,u,Pu',
'Server-Cert cert-pki-ca': 'X,u,u'
}
mock_certdb.return_value = mock_CertDB(trust)
framework = object()
registry.initialize(framework, config.Config)
f = IPACertNSSTrust(registry)
self.results = capture_results(f)
result = self.results.results[1]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertNSSTrust'
assert result.kw.get('key') == 'subsystemCert cert-pki-ca'
assert result.kw.get('msg') == 'Incorrect NSS trust for ' \
'subsystemCert cert-pki-ca. Got ' \
'X,u,u expected u,u,u'
result = self.results.results[3]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertNSSTrust'
assert result.kw.get('key') == 'Server-Cert cert-pki-ca'
assert result.kw.get('msg') == 'Incorrect NSS trust for ' \
'Server-Cert cert-pki-ca. Got X,u,u ' \
'expected u,u,u'
assert len(self.results) == 4
@patch('ipaserver.install.cainstance.CAInstance')
def test_trust_caless(self, mock_cainstance):
"""Nothing to check if the master is CALess"""
mock_cainstance.return_value = CAInstance(False)
framework = object()
registry.initialize(framework, config.Config)
f = IPACertNSSTrust(registry)
self.results = capture_results(f)
assert len(self.results) == 0
class TestKRAAgent(BaseTest):
cert = IPACertificate()
patches = {
'ldap.initialize':
Mock(return_value=mock_ldap_conn()),
'ipaserver.install.krainstance.KRAInstance':
Mock(return_value=KRAInstance()),
'ipalib.x509.load_certificate_from_file':
Mock(return_value=cert),
}
def test_kra_agent_ok(self):
attrs = dict(
description=['2;1;CN=ISSUER;CN=RA AGENT'],
usercertificate=[self.cert],
)
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
ldapentry = LDAPEntry(fake_conn,
DN('uid=ipakra,ou=people,o=kra,o=ipaca'))
for attr, values in attrs.items():
ldapentry[attr] = values
framework = object()
registry.initialize(framework, config.Config())
f = IPAKRAAgent(registry)
f.conn = mock_ldap([ldapentry])
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPAKRAAgent'
def test_kra_agent_no_description(self):
attrs = dict(usercertificate=[self.cert], )
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
ldapentry = LDAPEntry(fake_conn,
DN('uid=ipakra,ou=people,o=kra,o=ipaca'))
for attr, values in attrs.items():
ldapentry[attr] = values
framework = object()
registry.initialize(framework, config.Config())
f = IPAKRAAgent(registry)
f.conn = mock_ldap([ldapentry])
self.results = capture_results(f)
result = self.results.results[0]
assert result.result == constants.ERROR
assert 'description' in result.kw.get('msg')
@patch('ipalib.x509.load_certificate_from_file')
def test_kra_agent_load_failure(self, mock_load_cert):
mock_load_cert.side_effect = IOError('test')
framework = object()
registry.initialize(framework, config.Config())
f = IPAKRAAgent(registry)
self.results = capture_results(f)
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.kw.get('error') == 'test'
def test_kra_agent_no_entry_found(self):
framework = object()
registry.initialize(framework, config.Config())
f = IPAKRAAgent(registry)
f.conn = mock_ldap(None) # None == NotFound
self.results = capture_results(f)
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.kw.get('msg') == 'KRA agent not found in LDAP'
def test_kra_agent_too_many(self):
attrs = dict(
description=['2;1;CN=ISSUER;CN=RA AGENT'],
usercertificate=[self.cert],
)
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
ldapentry = LDAPEntry(fake_conn,
DN('uid=ipakra,ou=people,o=kra,o=ipaca'))
for attr, values in attrs.items():
ldapentry[attr] = values
ldapentry2 = LDAPEntry(fake_conn,
DN('uid=ipakra,ou=people,o=kra,o=ipaca'))
for attr, values in attrs.items():
ldapentry[attr] = values
framework = object()
registry.initialize(framework, config.Config())
f = IPAKRAAgent(registry)
f.conn = mock_ldap([ldapentry, ldapentry2])
self.results = capture_results(f)
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.kw.get('found') == 2
def test_kra_agent_nonmatching_cert(self):
cert2 = IPACertificate(2)
attrs = dict(
description=['2;1;CN=ISSUER;CN=RA AGENT'],
usercertificate=[cert2],
)
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
ldapentry = LDAPEntry(fake_conn,
DN('uid=ipakra,ou=people,o=kra,o=ipaca'))
for attr, values in attrs.items():
ldapentry[attr] = values
framework = object()
registry.initialize(framework, config.Config())
f = IPAKRAAgent(registry)
f.conn = mock_ldap([ldapentry])
self.results = capture_results(f)
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.kw.get('certfile') == paths.RA_AGENT_PEM
assert result.kw.get('dn') == 'uid=ipakra,ou=people,o=kra,o=ipaca'
def test_kra_agent_multiple_certs(self):
cert2 = IPACertificate(2)
attrs = dict(
description=['2;1;CN=ISSUER;CN=RA AGENT'],
usercertificate=[cert2, self.cert],
)
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
ldapentry = LDAPEntry(fake_conn,
DN('uid=ipakra,ou=people,o=kra,o=ipaca'))
for attr, values in attrs.items():
ldapentry[attr] = values
framework = object()
registry.initialize(framework, config.Config)
f = IPAKRAAgent(registry)
f.conn = mock_ldap([ldapentry])
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPAKRAAgent'