def test_ca_connection_cert_not_found(self, mock_load_cert, mock_ca_subject): """CA connectivity check for a cert that doesn't exist""" m_api.Command.cert_show.reset_mock() m_api.Command.config_show.side_effect = subject_base m_api.Command.cert_show.side_effect = CertificateOperationError( message='Certificate operation cannot be completed: ' 'EXCEPTION (Certificate serial number 0x0 not found)' ) mock_load_cert.return_value = [IPACertificate()] mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), f'O={m_api.env.realm}') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck' assert result.kw.get('key') == 'cert_show_1' assert result.kw.get('serial') == '1' assert result.kw.get('msg') == 'Serial number not found: {error}'
def test_ca_connection_not_found(self, mock_load_cert, mock_ca_subject): """CA connectivity check when cert_show returns a valid value""" m_api.Command.cert_show.side_effect = None m_api.Command.config_show.side_effect = subject_base m_api.Command.cert_show.return_value = { u'result': {u'revoked': False} } mock_load_cert.return_value = [ IPACertificate(1, 'CN=something'), ] mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), f'O={m_api.env.realm}') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.kw['msg'] == ( 'The CA certificate with subject {subject} was not found in {path}' )
def test_ca_connection_cert_not_in_file_list(self, mock_load_cert, mock_ca_subject): """CA connectivity check for a cert that isn't in IPA_CA_CRT""" m_api.Command.cert_show.reset_mock() m_api.Command.config_show.side_effect = bad_subject_base mock_load_cert.return_value = [IPACertificate()] mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), 'O=BAD') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck' bad = bad_subject_base[0]['result']['ipacertificatesubjectbase'][0] bad_subject = DN(f'CN=Certificate Authority,{bad}') assert DN(result.kw['subject']) == bad_subject assert result.kw['path'] == paths.IPA_CA_CRT assert result.kw['msg'] == ( 'The CA certificate with subject {subject} was not found in {path}' )
def test_ca_connection_down(self, mock_load_cert, mock_ca_subject): """CA connectivity check with the CA down""" m_api.Command.cert_show.side_effect = CertificateOperationError( message='Certificate operation cannot be completed: ' 'Unable to communicate with CMS (503)' ) m_api.Command.config_show.side_effect = subject_base mock_load_cert.return_value = [IPACertificate()] mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), f'O={m_api.env.realm}') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck' assert result.kw.get('msg') == ( 'Request for certificate failed: {error}' )
def test_ca_certs_ok(self, mock_certdb, mock_directive): """Test what should be the standard case""" trust = { 'ocspSigningCert cert-pki-ca': 'u,u,u', 'subsystemCert cert-pki-ca': 'u,u,u', 'auditSigningCert cert-pki-ca': 'u,u,Pu', 'Server-Cert cert-pki-ca': 'u,u,u', 'caSigningCert cert-pki-ca': 'CT,C,C', 'transportCert cert-pki-kra': 'u,u,u', } mock_certdb.return_value = mock_CertDB(trust) mock_directive.side_effect = [name for name, nsstrust in trust.items()] framework = object() registry.initialize(framework) f = DogtagCertsConfigCheck(registry) f.config = config.Config() self.results = capture_results(f) assert len(self.results) == 6 for result in self.results.results: assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConfigCheck'
def test_cacert_caless(self, mock_cainstance): """Nothing to check if the master is CALess""" mock_cainstance.return_value = CAInstance(False) framework = object() registry.initialize(framework, config) f = DogtagCertsConfigCheck(registry) self.results = capture_results(f) assert len(self.results) == 0
def test_cert_missing_from_file(self, mock_certdb, mock_directive): """Test a missing certificate. Note that if it is missing from the database then this check will not catch the error but it will be caught elsewhere. """ trust = { 'ocspSigningCert cert-pki-ca': 'u,u,u', 'subsystemCert cert-pki-ca': 'u,u,u', 'auditSigningCert cert-pki-ca': 'u,u,Pu', 'Server-Cert cert-pki-ca': 'u,u,u', 'caSigningCert cert-pki-ca': 'CT,,', 'transportCert cert-pki-kra': 'u,u,u', } # The 3rd cert won't match the results nicknames = [name for name, nsstrust in trust.items()] location = nicknames.index('auditSigningCert cert-pki-ca') nicknames[location] = 'NOT auditSigningCert cert-pki-ca' mock_certdb.return_value = mock_CertDB(trust) mock_directive.side_effect = nicknames framework = object() registry.initialize(framework) f = DogtagCertsConfigCheck(registry) f.config = config.Config() self.results = capture_results(f) num = len(self.results.results) for r in range(0, num): if r == 2: # skip the one that should be bad continue result = self.results.results[r] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConfigCheck' result = self.results.results[2] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConfigCheck' assert result.kw.get('key') == 'auditSigningCert cert-pki-ca' assert len(self.results) == 6
def test_ca_connection_ok(self): """CA connectivity check when cert_show returns a valid value""" m_api.Command.cert_show.side_effect = None m_api.Command.cert_show.return_value = {u'result': {u'revoked': False}} framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck'
def test_ca_connection_down(self): """CA connectivity check with the CA down""" m_api.Command.cert_show.side_effect = CertificateOperationError( message='Certificate operation cannot be completed: ' 'Unable to communicate with CMS (503)') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck' assert 'Unable to communicate' in result.kw.get('msg')
def test_ca_connection_cert_not_found(self): """CA connectivity check for a cert that doesn't exist""" m_api.Command.cert_show.reset_mock() m_api.Command.cert_show.side_effect = CertificateOperationError( message='Certificate operation cannot be completed: ' 'EXCEPTION (Certificate serial number 0x0 not found)') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck'
def test_ca_connection_ok(self, mock_load_cert, mock_ca_subject): """CA connectivity check when cert_show returns a valid value""" m_api.Command.cert_show.side_effect = None m_api.Command.config_show.side_effect = subject_base m_api.Command.cert_show.return_value = { u'result': {u'revoked': False} } mock_load_cert.return_value = [IPACertificate(12345)] mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), f'O={m_api.env.realm}') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck'
def test_ca_connection_cert_file_not_found(self, mock_load_cert, mock_ca_subject): """CA connectivity check for a cert that doesn't exist""" m_api.Command.cert_show.reset_mock() m_api.Command.config_show.side_effect = subject_base mock_load_cert.side_effect = FileNotFoundError() mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'), f'O={m_api.env.realm}') framework = object() registry.initialize(framework, config.Config) f = DogtagCertsConnectivityCheck(registry) self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.dogtag.ca' assert result.check == 'DogtagCertsConnectivityCheck' assert result.kw.get('key') == 'ipa_ca_crt_file_missing' assert result.kw.get('path') == paths.IPA_CA_CRT