def test_rolecheck_DNS_CA(self):
"""ipa-backup rolecheck:
start with a master with DNS and CA then
gradually upgrade a replica to the DNS and CA
roles.
"""
# single master: check that backup works.
assert self._ipa_replica_role_check(self.master.hostname,
self.serverroles['DNS'])
assert self._ipa_replica_role_check(self.master.hostname,
self.serverroles['CA'])
assert not self._ipa_replica_role_check(self.master.hostname,
self.serverroles['KRA'])
self._check_rolecheck_backup_success(self.master)
# install CA-less, DNS-less replica
tasks.install_replica(self.master, self.replicas[0], setup_ca=False)
assert not self._ipa_replica_role_check(self.replicas[0].hostname,
self.serverroles['DNS'])
assert not self._ipa_replica_role_check(self.replicas[0].hostname,
self.serverroles['CA'])
assert not self._ipa_replica_role_check(self.replicas[0].hostname,
self.serverroles['KRA'])
self._check_rolecheck_backup_success(self.master)
self._check_rolecheck_backup_failure(self.replicas[0])
# install DNS on replica
tasks.install_dns(self.replicas[0])
assert self._ipa_replica_role_check(self.replicas[0].hostname,
self.serverroles['DNS'])
self._check_rolecheck_backup_failure(self.replicas[0])
def test_install_dns_on_replica1_and_dnssec_on_master(self):
"""
install DNS server on replica and DNSSec on master
"""
tasks.install_dns(self.replicas[0])
args = [
"ipa-dns-install",
"--dnssec-master",
"--forwarder", self.master.config.dns_forwarder,
"-U",
]
self.master.run_command(args)
def test_install_dns_on_replica1_and_dnssec_on_master(self):
"""
install DNS server on replica and DNSSec on master
"""
tasks.install_dns(self.replicas[0])
args = [
"ipa-dns-install",
"--dnssec-master",
"--forwarder", self.master.config.dns_forwarder,
"-U",
]
self.master.run_command(args)
Firewall(self.master).enable_service("dns")
def test_replica1_ipa_dns_install(self):
tasks.install_dns(self.replicas[1])
def test_install_dns(self):
tasks.install_dns(self.master)
def test_install_dns(self):
tasks.install_dns(
self.master,
extra_args=['--dnssec-master', '--no-dnssec-validation']
)
def test_replica2_ipa_dns_install(self):
tasks.install_dns(self.replicas[2])
def test_install_dns(self):
tasks.install_dns(self.master)
def test_install_dns(self):
tasks.install_dns(
self.master,
extra_args=['--dnssec-master', '--no-dnssec-validation'])
def install(cls, mh):
tasks.install_master(cls.master)
tasks.install_dns(cls.master)
def test_certmonger_reads_token_HSM(self):
"""Test if certmonger reads the token in HSM
This is to ensure added HSM support for FreeIPA. This test adds
certificate with sofhsm token and checks if certmonger is tracking
it.
related : https://pagure.io/certmonger/issue/125
"""
test_service = 'test/%s' % self.master.hostname
pkcs_passwd = 'Secret123'
pin = '123456'
noisefile = '/tmp/noisefile'
self.master.put_file_contents(noisefile, os.urandom(64))
tasks.kinit_admin(self.master)
tasks.install_dns(self.master)
self.master.run_command(['ipa', 'service-add', test_service])
# create a csr
cmd_args = ['certutil', '-d', paths.NSS_DB_DIR, '-R', '-a',
'-o', '/root/ipa.csr',
'-s', "CN=%s" % self.master.hostname,
'-z', noisefile]
self.master.run_command(cmd_args)
# request certificate
cmd_args = ['ipa', 'cert-request', '--principal', test_service,
'--certificate-out', '/root/test.pem', '/root/ipa.csr']
self.master.run_command(cmd_args)
# adding trust flag
cmd_args = ['certutil', '-A', '-d', paths.NSS_DB_DIR, '-n',
'test', '-a', '-i', '/root/test.pem', '-t', 'u,u,u']
self.master.run_command(cmd_args)
# export pkcs12 file
cmd_args = ['pk12util', '-o', '/root/test.p12',
'-d', paths.NSS_DB_DIR, '-n', 'test', '-W', pkcs_passwd]
self.master.run_command(cmd_args)
# add softhsm lib
cmd_args = ['modutil', '-dbdir', paths.NSS_DB_DIR, '-add',
'softhsm', '-libfile', '/usr/lib64/softhsm/libsofthsm.so']
self.master.run_command(cmd_args, stdin_text="\n\n")
# create a token
cmd_args = ['softhsm2-util', '--init-token', '--label', 'test',
'--pin', pin, '--so-pin', pin, '--free']
self.master.run_command(cmd_args)
self.master.run_command(['softhsm2-util', '--show-slots'])
cmd_args = ['certutil', '-F', '-d', paths.NSS_DB_DIR, '-n', 'test']
self.master.run_command(cmd_args)
cmd_args = ['pk12util', '-i', '/root/test.p12',
'-d', paths.NSS_DB_DIR, '-h', 'test',
'-W', pkcs_passwd, '-K', pin]
self.master.run_command(cmd_args)
cmd_args = ['certutil', '-A', '-d', paths.NSS_DB_DIR, '-n', 'IPA CA',
'-t', 'CT,,', '-a', '-i', paths.IPA_CA_CRT]
self.master.run_command(cmd_args)
# validate the certificate
self.master.put_file_contents('/root/pinfile', pin)
cmd_args = ['certutil', '-V', '-u', 'V', '-e', '-d', paths.NSS_DB_DIR,
'-h', 'test', '-n', 'test:test', '-f', '/root/pinfile']
result = self.master.run_command(cmd_args)
assert 'certificate is valid' in result.stdout_text
# add certificate tracking to certmonger
cmd_args = ['ipa-getcert', 'start-tracking', '-d', paths.NSS_DB_DIR,
'-n', 'test', '-t', 'test', '-P', pin,
'-K', test_service]
result = self.master.run_command(cmd_args)
request_id = re.findall(r'\d+', result.stdout_text)
# check if certificate is tracked by certmonger
status = tasks.wait_for_request(self.master, request_id[0], 300)
assert status == "MONITORING"
# ensure if key and token are re-usable
cmd_args = ['getcert', 'resubmit', '-i', request_id[0]]
self.master.run_command(cmd_args)
status = tasks.wait_for_request(self.master, request_id[0], 300)
assert status == "MONITORING"
