def test_certs_mismatch(self, mock_certdb):
""" Ensure mismatches are detected"""
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
pkidbentry = LDAPEntry(
fake_conn,
DN('uid=pkidbuser,ou=people,o=ipaca'),
userCertificate=[IPACertificate(serial_number=2)],
subjectName=['test'])
casignentry = LDAPEntry(fake_conn,
DN('cn=%s IPA CA' % m_api.env.realm,
'cn=certificates,cn=ipa,cn=etc',
m_api.env.basedn),
CACertificate=[IPACertificate()],
userCertificate=[IPACertificate()],
subjectName=['test'])
ldap_entries = [pkidbentry, casignentry]
trust = {
'ocspSigningCert cert-pki-ca': 'u,u,u',
'caSigningCert cert-pki-ca': 'u,u,u',
'subsystemCert cert-pki-ca': 'u,u,u',
'auditSigningCert cert-pki-ca': 'u,u,Pu',
'Server-Cert cert-pki-ca': 'u,u,u',
'transportCert cert-pki-kra': 'u,u,u',
'storageCert cert-pki-kra': 'u,u,u',
'auditSigningCert cert-pki-kra': 'u,u,Pu',
}
dogtag_entries_subjects = (
'CN=OCSP Subsystem,O=%s' % m_api.env.realm,
'CN=CA Subsystem,O=%s' % m_api.env.realm,
'CN=CA Audit,O=%s' % m_api.env.realm,
'CN=%s,O=%s' % (m_api.env.host, m_api.env.realm),
'CN=KRA Transport Certificate,O=%s' % m_api.env.realm,
'CN=KRA Storage Certificate,O=%s' % m_api.env.realm,
'CN=KRA Audit,O=%s' % m_api.env.realm,
)
for i, subject in enumerate(dogtag_entries_subjects):
entry = LDAPEntry(fake_conn,
DN('cn=%i,ou=certificateRepository' % i,
'ou=ca,o=ipaca'),
userCertificate=[IPACertificate()],
subjectName=[subject])
ldap_entries.append(entry)
mock_certdb.return_value = mock_CertDB(trust)
framework = object()
registry.initialize(framework, config.Config())
f = IPADogtagCertsMatchCheck(registry)
f.conn = mock_ldap(ldap_entries)
self.results = capture_results(f)
assert len(self.results) == 3
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPADogtagCertsMatchCheck'
def test_member_ok(self):
agent_dn = DN(('fqdn', m_api.env.host), m_api.env.container_host,
m_api.env.basedn)
group_dn = DN(('cn', 'adtrust agents'),
m_api.env.container_sysaccounts, m_api.env.basedn)
attrs = {
'memberof': [group_dn],
}
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
ldapentry = LDAPEntry(fake_conn, agent_dn)
for attr, values in attrs.items():
ldapentry[attr] = values
framework = object()
registry.initialize(framework)
registry.trust_agent = True
f = IPATrustAgentMemberCheck(registry)
f.conn = mock_ldap(ldapentry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.trust'
assert result.check == 'IPATrustAgentMemberCheck'
assert result.kw.get('key') == m_api.env.host
def test_kra_agent_nonmatching_cert(self):
cert2 = IPACertificate(2)
attrs = dict(
description=['2;1;CN=ISSUER;CN=RA AGENT'],
usercertificate=[cert2],
)
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
ldapentry = LDAPEntry(fake_conn,
DN('uid=ipakra,ou=people,o=kra,o=ipaca'))
for attr, values in attrs.items():
ldapentry[attr] = values
framework = object()
registry.initialize(framework, config.Config())
f = IPAKRAAgent(registry)
f.conn = mock_ldap([ldapentry])
self.results = capture_results(f)
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.kw.get('certfile') == paths.RA_AGENT_PEM
assert result.kw.get('dn') == 'uid=ipakra,ou=people,o=kra,o=ipaca'
def test_certs_mismatch(self, mock_certdb):
""" Ensure mismatches are detected"""
m_api.Command.config_show.side_effect = default_subject_base
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
pkidbentry = LDAPEntry(
fake_conn,
DN('uid=pkidbuser,ou=people,o=ipaca'),
userCertificate=[IPACertificate(serial_number=2)],
subjectName=['test'])
casignentry = LDAPEntry(fake_conn,
DN('cn=%s IPA CA' % m_api.env.realm,
'cn=certificates,cn=ipa,cn=etc',
m_api.env.basedn),
CACertificate=[IPACertificate()],
userCertificate=[IPACertificate()],
subjectName=['test'])
ldap_entries = [pkidbentry, casignentry]
dogtag_entries_subjects = self.get_dogtag_subjects(
m_api.env.host, default_subject_base)
for i, subject in enumerate(dogtag_entries_subjects):
entry = LDAPEntry(fake_conn,
DN('cn=%i,ou=certificateRepository' % i,
'ou=ca,o=ipaca'),
userCertificate=[IPACertificate()],
subjectName=[subject])
ldap_entries.append(entry)
mock_certdb.return_value = mock_CertDB(self.trust)
framework = object()
registry.initialize(framework, config.Config())
f = IPADogtagCertsMatchCheck(registry)
f.conn = mock_ldap(ldap_entries)
self.results = capture_results(f)
assert len(self.results) == 3
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPADogtagCertsMatchCheck'
def test_etc_cacert_mismatch(self, mock_certdb, mock_load_cert):
""" Test mismatch with /etc/ipa/ca.crt """
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
cacertentry = LDAPEntry(fake_conn,
DN('cn=%s IPA CA' % m_api.env.realm,
'cn=certificates,cn=ipa,cn=etc',
m_api.env.basedn),
CACertificate=[IPACertificate()])
mock_certdb.return_value = mock_CertDB(self.trust)
mock_load_cert.return_value = [IPACertificate(serial_number=2)]
framework = object()
registry.initialize(framework, config.Config())
f = IPACertMatchCheck(registry)
f.conn = mock_ldap([cacertentry])
self.results = capture_results(f)
assert len(self.results) == 3
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertMatchCheck'
def test_certs_match_ok(self, mock_certdb, mock_load_cert):
""" Ensure match check is ok"""
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
cacertentry = LDAPEntry(fake_conn,
DN('cn=%s IPA CA' % m_api.env.realm,
'cn=certificates,cn=ipa,cn=etc',
m_api.env.basedn),
CACertificate=[IPACertificate()])
mock_certdb.return_value = mock_CertDB(self.trust)
mock_load_cert.return_value = [IPACertificate()]
framework = object()
registry.initialize(framework, config.Config())
f = IPACertMatchCheck(registry)
f.conn = mock_ldap([cacertentry])
self.results = capture_results(f)
assert len(self.results) == 3
for result in self.results.results:
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertMatchCheck'
