def test_nss_validation_ok_no_ca(self, mock_run, mock_cainstance):
"""Test with the CA marked as not configured so there should only
be a DS certificate to check.
"""
def run(args, raiseonerr=True):
result = _RunResult('', '', 0)
result.raw_output = b'certutil: certificate is valid\n'
result.raw_error_output = b''
return result
mock_run.side_effect = run
mock_cainstance.return_value = CAInstance(False)
framework = object()
registry.initialize(framework)
f = IPANSSChainValidation(registry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 1
for result in self.results.results:
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPANSSChainValidation'
assert 'slapd-' in result.kw.get('key')
class TestOpenSSLValidation(BaseTest):
patches = {
'ipaserver.install.cainstance.CAInstance':
Mock(return_value=CAInstance()),
}
@patch('ipapython.ipautil.run')
def test_openssl_validation_ok(self, mock_run):
def run(args, raiseonerr=True):
result = _RunResult('', '', 0)
result.raw_output = bytes('%s: OK'.format(
args[-1]).encode('utf-8'))
result.raw_error_output = b''
return result
mock_run.side_effect = run
framework = object()
registry.initialize(framework)
f = IPAOpenSSLChainValidation(registry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 2
for result in self.results.results:
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPAOpenSSLChainValidation'
@patch('ipapython.ipautil.run')
def test_openssl_validation_bad(self, mock_run):
def run(args, raiseonerr=True):
result = _RunResult('', '', 2)
result.raw_output = bytes(
'O = EXAMPLE.TEST, CN = ipa.example.test\n'
'error 20 at 0 depth lookup: unable to get local issuer '
'certificate\nerror %s: verification failed'.format(
args[-1]).encode('utf-8'))
result.raw_error_output = b''
result.error_log = ''
return result
mock_run.side_effect = run
framework = object()
registry.initialize(framework)
f = IPAOpenSSLChainValidation(registry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 2
for result in self.results.results:
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPAOpenSSLChainValidation'
assert 'failed' in result.kw.get('msg')
def test_nss_validation_bad(self, mock_run, mock_cainstance):
def run(args, raiseonerr=True):
result = _RunResult('', '', 255)
result.raw_output = str.encode(
'certutil: certificate is invalid: Peer\'s certificate issuer '
'has been marked as not trusted by the user.')
result.raw_error_output = b''
result.error_log = ''
return result
mock_run.side_effect = run
mock_cainstance.return_value = CAInstance()
framework = object()
registry.initialize(framework)
f = IPANSSChainValidation(registry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 2
for result in self.results.results:
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPANSSChainValidation'
def test_crlmanager_no_ca(self, mock_ca):
"""There should be no CRLManagerCheck without a CA"""
mock_ca.return_value = CAInstance(False)
framework = object()
registry.initialize(framework, config.Config)
f = IPACRLManagerCheck(registry)
self.results = capture_results(f)
assert len(self.results) == 0
def test_trust_caless(self, mock_cainstance):
"""Nothing to check if the master is CALess"""
mock_cainstance.return_value = CAInstance(False)
framework = object()
registry.initialize(framework, config.Config)
f = IPACertNSSTrust(registry)
self.results = capture_results(f)
assert len(self.results) == 0
class TestCertmonger(BaseTest):
patches = {
'ipaserver.install.cainstance.CAInstance':
Mock(return_value=CAInstance()),
}
@patch('ipahealthcheck.ipa.certs.IPACertmongerCA.find_ca')
def test_certmogner_ok(self, mock_find_ca):
mock_find_ca.side_effect = [
'IPA',
'dogtag-ipa-ca-renew-agent',
'dogtag-ipa-ca-renew-agent-reuse'
]
framework = object()
registry.initialize(framework)
f = IPACertmongerCA(registry)
self.results = capture_results(f)
assert len(self.results) == 3
for result in self.results.results:
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertmongerCA'
@patch('ipahealthcheck.ipa.certs.IPACertmongerCA.find_ca')
def test_certmogner_missing(self, mock_find_ca):
mock_find_ca.side_effect = [
'IPA',
'dogtag-ipa-ca-renew-agent',
]
framework = object()
registry.initialize(framework)
f = IPACertmongerCA(registry)
self.results = capture_results(f)
assert len(self.results) == 3
for r in range(0, 1):
result = self.results.results[r]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertmongerCA'
assert self.results.results[2].result == constants.ERROR
assert self.results.results[2].kw.get('key') == \
'dogtag-ipa-ca-renew-agent-reuse'
assert self.results.results[2].kw.get('msg') == \
"Certmonger CA 'dogtag-ipa-ca-renew-agent-reuse' missing"
def test_cacert_caless(self, mock_cainstance):
"""Nothing to check if the master is CALess"""
mock_cainstance.return_value = CAInstance(False)
framework = object()
registry.initialize(framework)
f = DogtagCertsConfigCheck(registry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 0
def test_crlmanager(self, mock_ca):
mock_ca.return_value = CAInstance()
framework = object()
registry.initialize(framework, config.Config)
f = IPACRLManagerCheck(registry)
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.roles'
assert result.check == 'IPACRLManagerCheck'
assert result.kw.get('crlgen_enabled') is True
def test_nss_validation_ok(self, mock_run, mock_cainstance):
def run(args, raiseonerr=True):
result = _RunResult('', '', 0)
result.raw_output = b'certutil: certificate is valid\n'
result.raw_error_output = b''
return result
mock_run.side_effect = run
mock_cainstance.return_value = CAInstance()
framework = object()
registry.initialize(framework, config.Config)
f = IPANSSChainValidation(registry)
self.results = capture_results(f)
assert len(self.results) == 2
for result in self.results.results:
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPANSSChainValidation'
class TestNSSAgent(BaseTest):
cert = IPACertificate()
patches = {
'ldap.initialize':
Mock(return_value=mock_ldap_conn()),
'ipaserver.install.cainstance.CAInstance':
Mock(return_value=CAInstance()),
'ipalib.x509.load_certificate_from_file':
Mock(return_value=cert),
}
def test_nss_agent_ok(self):
attrs = dict(
description=['2;1;CN=ISSUER;CN=RA AGENT'],
usercertificate=[self.cert],
)
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
ldapentry = LDAPEntry(fake_conn, DN('uid=ipara,ou=people,o=ipaca'))
for attr, values in attrs.items():
ldapentry[attr] = values
framework = object()
registry.initialize(framework, config.Config())
f = IPARAAgent(registry)
f.conn = mock_ldap([ldapentry])
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPARAAgent'
def test_nss_agent_no_description(self):
attrs = dict(
usercertificate=[self.cert],
)
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
ldapentry = LDAPEntry(fake_conn, DN('uid=ipara,ou=people,o=ipaca'))
for attr, values in attrs.items():
ldapentry[attr] = values
framework = object()
registry.initialize(framework, config.Config())
f = IPARAAgent(registry)
f.conn = mock_ldap([ldapentry])
self.results = capture_results(f)
result = self.results.results[0]
assert result.result == constants.ERROR
assert 'description' in result.kw.get('msg')
@patch('ipalib.x509.load_certificate_from_file')
def test_nss_agent_load_failure(self, mock_load_cert):
mock_load_cert.side_effect = IOError('test')
framework = object()
registry.initialize(framework, config.Config())
f = IPARAAgent(registry)
self.results = capture_results(f)
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.kw.get('error') == 'test'
def test_nss_agent_no_entry_found(self):
framework = object()
registry.initialize(framework, config.Config())
f = IPARAAgent(registry)
f.conn = mock_ldap(None) # None == NotFound
self.results = capture_results(f)
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.kw.get('msg') == 'RA agent not found in LDAP'
def test_nss_agent_too_many(self):
attrs = dict(
description=['2;1;CN=ISSUER;CN=RA AGENT'],
usercertificate=[self.cert],
)
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
ldapentry = LDAPEntry(fake_conn, DN('uid=ipara,ou=people,o=ipaca'))
for attr, values in attrs.items():
ldapentry[attr] = values
ldapentry2 = LDAPEntry(fake_conn, DN('uid=ipara2,ou=people,o=ipaca'))
for attr, values in attrs.items():
ldapentry[attr] = values
framework = object()
registry.initialize(framework, config.Config())
f = IPARAAgent(registry)
f.conn = mock_ldap([ldapentry, ldapentry2])
self.results = capture_results(f)
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.kw.get('found') == 2
def test_nss_agent_nonmatching_cert(self):
cert2 = IPACertificate(2)
attrs = dict(
description=['2;1;CN=ISSUER;CN=RA AGENT'],
usercertificate=[cert2],
)
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
ldapentry = LDAPEntry(fake_conn, DN('uid=ipara,ou=people,o=ipaca'))
for attr, values in attrs.items():
ldapentry[attr] = values
framework = object()
registry.initialize(framework, config.Config())
f = IPARAAgent(registry)
f.conn = mock_ldap([ldapentry])
self.results = capture_results(f)
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.kw.get('certfile') == paths.RA_AGENT_PEM
assert result.kw.get('dn') == 'uid=ipara,ou=people,o=ipaca'
def test_nss_agent_multiple_certs(self):
cert2 = IPACertificate(2)
attrs = dict(
description=['2;1;CN=ISSUER;CN=RA AGENT'],
usercertificate=[cert2, self.cert],
)
fake_conn = LDAPClient('ldap://localhost', no_schema=True)
ldapentry = LDAPEntry(fake_conn, DN('uid=ipara,ou=people,o=ipaca'))
for attr, values in attrs.items():
ldapentry[attr] = values
framework = object()
registry.initialize(framework, config.Config)
f = IPARAAgent(registry)
f.conn = mock_ldap([ldapentry])
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPARAAgent'
class TestCAConnectivity(BaseTest):
patches = {
'ipaserver.install.cainstance.CAInstance':
Mock(return_value=CAInstance()),
}
@patch('ipaserver.install.ca.lookup_ca_subject')
@patch('ipalib.x509.load_certificate_list_from_file')
def test_ca_connection_ok(self, mock_load_cert, mock_ca_subject):
"""CA connectivity check when cert_show returns a valid value"""
m_api.Command.cert_show.side_effect = None
m_api.Command.config_show.side_effect = subject_base
m_api.Command.cert_show.return_value = {
u'result': {u'revoked': False}
}
mock_load_cert.return_value = [IPACertificate(12345)]
mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
f'O={m_api.env.realm}')
framework = object()
registry.initialize(framework, config.Config)
f = DogtagCertsConnectivityCheck(registry)
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConnectivityCheck'
@patch('ipaserver.install.ca.lookup_ca_subject')
@patch('ipalib.x509.load_certificate_list_from_file')
def test_ca_connection_cert_not_found(self, mock_load_cert,
mock_ca_subject):
"""CA connectivity check for a cert that doesn't exist"""
m_api.Command.cert_show.reset_mock()
m_api.Command.config_show.side_effect = subject_base
m_api.Command.cert_show.side_effect = CertificateOperationError(
message='Certificate operation cannot be completed: '
'EXCEPTION (Certificate serial number 0x0 not found)'
)
mock_load_cert.return_value = [IPACertificate()]
mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
f'O={m_api.env.realm}')
framework = object()
registry.initialize(framework, config.Config)
f = DogtagCertsConnectivityCheck(registry)
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConnectivityCheck'
assert result.kw.get('key') == 'cert_show_1'
assert result.kw.get('serial') == '1'
assert result.kw.get('msg') == 'Serial number not found: {error}'
@patch('ipaserver.install.ca.lookup_ca_subject')
@patch('ipalib.x509.load_certificate_list_from_file')
def test_ca_connection_cert_file_not_found(self, mock_load_cert,
mock_ca_subject):
"""CA connectivity check for a cert that doesn't exist"""
m_api.Command.cert_show.reset_mock()
m_api.Command.config_show.side_effect = subject_base
mock_load_cert.side_effect = FileNotFoundError()
mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
f'O={m_api.env.realm}')
framework = object()
registry.initialize(framework, config.Config)
f = DogtagCertsConnectivityCheck(registry)
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConnectivityCheck'
assert result.kw.get('key') == 'ipa_ca_crt_file_missing'
assert result.kw.get('path') == paths.IPA_CA_CRT
@patch('ipaserver.install.ca.lookup_ca_subject')
@patch('ipalib.x509.load_certificate_list_from_file')
def test_ca_connection_cert_not_in_file_list(self, mock_load_cert,
mock_ca_subject):
"""CA connectivity check for a cert that isn't in IPA_CA_CRT"""
m_api.Command.cert_show.reset_mock()
m_api.Command.config_show.side_effect = bad_subject_base
mock_load_cert.return_value = [IPACertificate()]
mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
'O=BAD')
framework = object()
registry.initialize(framework, config.Config)
f = DogtagCertsConnectivityCheck(registry)
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConnectivityCheck'
bad = bad_subject_base[0]['result']['ipacertificatesubjectbase'][0]
bad_subject = DN(f'CN=Certificate Authority,{bad}')
assert DN(result.kw['subject']) == bad_subject
assert result.kw['path'] == paths.IPA_CA_CRT
assert result.kw['msg'] == (
'The CA certificate with subject {subject} was not found in {path}'
)
@patch('ipaserver.install.ca.lookup_ca_subject')
@patch('ipalib.x509.load_certificate_list_from_file')
def test_ca_connection_down(self, mock_load_cert, mock_ca_subject):
"""CA connectivity check with the CA down"""
m_api.Command.cert_show.side_effect = CertificateOperationError(
message='Certificate operation cannot be completed: '
'Unable to communicate with CMS (503)'
)
m_api.Command.config_show.side_effect = subject_base
mock_load_cert.return_value = [IPACertificate()]
mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
f'O={m_api.env.realm}')
framework = object()
registry.initialize(framework, config.Config)
f = DogtagCertsConnectivityCheck(registry)
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConnectivityCheck'
assert result.kw.get('msg') == (
'Request for certificate failed: {error}'
)
@patch('ipaserver.install.ca.lookup_ca_subject')
@patch('ipalib.x509.load_certificate_list_from_file')
def test_ca_connection_multiple_ok(self, mock_load_cert, mock_ca_subject):
"""CA connectivity check when cert_show returns a valid value"""
m_api.Command.cert_show.side_effect = None
m_api.Command.config_show.side_effect = subject_base
m_api.Command.cert_show.return_value = {
u'result': {u'revoked': False}
}
mock_load_cert.return_value = [
IPACertificate(1, 'CN=something'),
IPACertificate(12345),
]
mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
f'O={m_api.env.realm}')
framework = object()
registry.initialize(framework, config.Config)
f = DogtagCertsConnectivityCheck(registry)
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.dogtag.ca'
@patch('ipaserver.install.ca.lookup_ca_subject')
@patch('ipalib.x509.load_certificate_list_from_file')
def test_ca_connection_multiple_ok_reverse(self, mock_load_cert,
mock_ca_subject):
"""CA connectivity check when cert_show returns a valid value"""
m_api.Command.cert_show.side_effect = None
m_api.Command.config_show.side_effect = subject_base
m_api.Command.cert_show.return_value = {
u'result': {u'revoked': False}
}
mock_load_cert.return_value = [
IPACertificate(12345),
IPACertificate(1, 'CN=something'),
]
mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
f'O={m_api.env.realm}')
framework = object()
registry.initialize(framework, config.Config)
f = DogtagCertsConnectivityCheck(registry)
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.dogtag.ca'
@patch('ipaserver.install.ca.lookup_ca_subject')
@patch('ipalib.x509.load_certificate_list_from_file')
def test_ca_connection_not_found(self, mock_load_cert, mock_ca_subject):
"""CA connectivity check when cert_show returns a valid value"""
m_api.Command.cert_show.side_effect = None
m_api.Command.config_show.side_effect = subject_base
m_api.Command.cert_show.return_value = {
u'result': {u'revoked': False}
}
mock_load_cert.return_value = [
IPACertificate(1, 'CN=something'),
]
mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
f'O={m_api.env.realm}')
framework = object()
registry.initialize(framework, config.Config)
f = DogtagCertsConnectivityCheck(registry)
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.kw['msg'] == (
'The CA certificate with subject {subject} was not found in {path}'
)
class TestCAConnectivity(BaseTest):
patches = {
'ipaserver.install.cainstance.CAInstance':
Mock(return_value=CAInstance()),
}
def test_ca_connection_ok(self):
"""CA connectivity check when cert_show returns a valid value"""
m_api.Command.cert_show.side_effect = None
m_api.Command.cert_show.return_value = {u'result': {u'revoked': False}}
framework = object()
registry.initialize(framework, config.Config)
f = DogtagCertsConnectivityCheck(registry)
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConnectivityCheck'
def test_ca_connection_cert_not_found(self):
"""CA connectivity check for a cert that doesn't exist"""
m_api.Command.cert_show.reset_mock()
m_api.Command.cert_show.side_effect = CertificateOperationError(
message='Certificate operation cannot be completed: '
'EXCEPTION (Certificate serial number 0x0 not found)')
framework = object()
registry.initialize(framework, config.Config)
f = DogtagCertsConnectivityCheck(registry)
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConnectivityCheck'
def test_ca_connection_down(self):
"""CA connectivity check with the CA down"""
m_api.Command.cert_show.side_effect = CertificateOperationError(
message='Certificate operation cannot be completed: '
'Unable to communicate with CMS (503)')
framework = object()
registry.initialize(framework, config.Config)
f = DogtagCertsConnectivityCheck(registry)
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConnectivityCheck'
assert 'Unable to communicate' in result.kw.get('msg')
class TestCACerts(BaseTest):
patches = {
'ipaserver.install.cainstance.CAInstance':
Mock(return_value=CAInstance()),
'ipaserver.install.krainstance.KRAInstance':
Mock(return_value=KRAInstance()),
}
@patch('ipahealthcheck.dogtag.ca.get_directive')
@patch('ipaserver.install.certs.CertDB')
def test_ca_certs_ok(self, mock_certdb, mock_directive):
"""Test what should be the standard case"""
trust = {
'ocspSigningCert cert-pki-ca': 'u,u,u',
'subsystemCert cert-pki-ca': 'u,u,u',
'auditSigningCert cert-pki-ca': 'u,u,Pu',
'Server-Cert cert-pki-ca': 'u,u,u',
'caSigningCert cert-pki-ca': 'CT,C,C',
'transportCert cert-pki-kra': 'u,u,u',
}
mock_certdb.return_value = mock_CertDB(trust)
mock_directive.side_effect = [name for name, nsstrust in trust.items()]
framework = object()
registry.initialize(framework)
f = DogtagCertsConfigCheck(registry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 6
for result in self.results.results:
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConfigCheck'
@patch('ipahealthcheck.dogtag.ca.get_directive')
@patch('ipaserver.install.certs.CertDB')
def test_cert_missing_from_file(self, mock_certdb, mock_directive):
"""Test a missing certificate.
Note that if it is missing from the database then this check
will not catch the error but it will be caught elsewhere.
"""
trust = {
'ocspSigningCert cert-pki-ca': 'u,u,u',
'subsystemCert cert-pki-ca': 'u,u,u',
'auditSigningCert cert-pki-ca': 'u,u,Pu',
'Server-Cert cert-pki-ca': 'u,u,u',
'caSigningCert cert-pki-ca': 'CT,,',
'transportCert cert-pki-kra': 'u,u,u',
}
# The 3rd cert won't match the results
nicknames = [name for name, nsstrust in trust.items()]
location = nicknames.index('auditSigningCert cert-pki-ca')
nicknames[location] = 'NOT auditSigningCert cert-pki-ca'
mock_certdb.return_value = mock_CertDB(trust)
mock_directive.side_effect = nicknames
framework = object()
registry.initialize(framework)
f = DogtagCertsConfigCheck(registry)
f.config = config.Config()
self.results = capture_results(f)
num = len(self.results.results)
for r in range(0, num):
if r == 2: # skip the one that should be bad
continue
result = self.results.results[r]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConfigCheck'
result = self.results.results[2]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.dogtag.ca'
assert result.check == 'DogtagCertsConfigCheck'
assert result.kw.get('key') == 'auditSigningCert cert-pki-ca'
assert len(self.results) == 6
@patch('ipaserver.install.cainstance.CAInstance')
def test_cacert_caless(self, mock_cainstance):
"""Nothing to check if the master is CALess"""
mock_cainstance.return_value = CAInstance(False)
framework = object()
registry.initialize(framework)
f = DogtagCertsConfigCheck(registry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 0
class TestNSSDBTrust(BaseTest):
patches = {
'ipaserver.install.cainstance.CAInstance':
Mock(return_value=CAInstance()),
'ipaserver.install.krainstance.KRAInstance':
Mock(return_value=KRAInstance(False)),
'ipapython.certdb.unparse_trust_flags':
Mock(side_effect=my_unparse_trust_flags),
}
@patch('ipaserver.install.certs.CertDB')
def test_trust_default_ok(self, mock_certdb):
"""Test what should be the standard case"""
trust = {
'ocspSigningCert cert-pki-ca': 'u,u,u',
'subsystemCert cert-pki-ca': 'u,u,u',
'auditSigningCert cert-pki-ca': 'u,u,Pu',
'Server-Cert cert-pki-ca': 'u,u,u'
}
mock_certdb.return_value = mock_CertDB(trust)
framework = object()
registry.initialize(framework, config.Config)
f = IPACertNSSTrust(registry)
self.results = capture_results(f)
assert len(self.results) == 4
for result in self.results.results:
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertNSSTrust'
assert 'cert-pki-ca' in result.kw.get('key')
@patch('ipaserver.install.certs.CertDB')
def test_trust_ocsp_missing(self, mock_certdb):
"""Test a missing certificate"""
trust = {
'subsystemCert cert-pki-ca': 'u,u,u',
'auditSigningCert cert-pki-ca': 'u,u,Pu',
'Server-Cert cert-pki-ca': 'u,u,u'
}
mock_certdb.return_value = mock_CertDB(trust)
framework = object()
registry.initialize(framework, config.Config)
f = IPACertNSSTrust(registry)
self.results = capture_results(f)
# The check reports success for those that it found and are correct and
# reports missing certs last.
num = len(self.results.results) - 2
for r in range(0, num):
result = self.results.results[r]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertNSSTrust'
assert 'cert-pki-ca' in result.kw.get('key')
result = self.results.results[-1]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertNSSTrust'
assert result.kw.get('key') == 'ocspSigningCert cert-pki-ca'
assert result.kw.get('msg') == 'Certificate ocspSigningCert ' \
'cert-pki-ca missing while verifying '\
'trust'
assert len(self.results) == 4
@patch('ipaserver.install.certs.CertDB')
def test_trust_bad(self, mock_certdb):
"""Test multiple unexpected trust flags"""
trust = {
'ocspSigningCert cert-pki-ca': 'u,u,u',
'subsystemCert cert-pki-ca': 'X,u,u',
'auditSigningCert cert-pki-ca': 'u,u,Pu',
'Server-Cert cert-pki-ca': 'X,u,u'
}
mock_certdb.return_value = mock_CertDB(trust)
framework = object()
registry.initialize(framework, config.Config)
f = IPACertNSSTrust(registry)
self.results = capture_results(f)
result = self.results.results[1]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertNSSTrust'
assert result.kw.get('key') == 'subsystemCert cert-pki-ca'
assert result.kw.get('msg') == 'Incorrect NSS trust for ' \
'subsystemCert cert-pki-ca. Got ' \
'X,u,u expected u,u,u'
result = self.results.results[3]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertNSSTrust'
assert result.kw.get('key') == 'Server-Cert cert-pki-ca'
assert result.kw.get('msg') == 'Incorrect NSS trust for ' \
'Server-Cert cert-pki-ca. Got X,u,u ' \
'expected u,u,u'
assert len(self.results) == 4
@patch('ipaserver.install.cainstance.CAInstance')
def test_trust_caless(self, mock_cainstance):
"""Nothing to check if the master is CALess"""
mock_cainstance.return_value = CAInstance(False)
framework = object()
registry.initialize(framework, config.Config)
f = IPACertNSSTrust(registry)
self.results = capture_results(f)
assert len(self.results) == 0
class TestRevocation(BaseTest):
patches = {
'ipaserver.install.certs.is_ipa_issued_cert':
Mock(return_value=True),
'ipalib.x509.load_certificate_from_file':
Mock(return_value=IPACertificate()),
'ipahealthcheck.ipa.certs.get_expected_requests':
Mock(return_value=get_expected_requests()),
'ipalib.install.certmonger._cm_dbus_object':
Mock(side_effect=create_mock_dbus),
'ipalib.install.certmonger._certmonger':
Mock(return_value=_certmonger()),
'ipaserver.install.cainstance.CAInstance':
Mock(return_value=CAInstance()),
}
def test_revocation_ok(self):
m_api.Command.cert_show.side_effect = [
{
u'result': {
u"revoked": False,
}
},
{
u'result': {
u"revoked": False,
}
},
]
set_requests()
framework = object()
registry.initialize(framework)
f = IPACertRevocation(registry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 2
for result in self.results.results:
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertRevocation'
def test_revocation_one_bad(self):
m_api.Command.cert_show.side_effect = [
{
u'result': {
u"revoked": False,
}
},
{
u'result': {
u"revoked": True,
u"revocation_reason": 4,
}
},
]
set_requests()
framework = object()
registry.initialize(framework)
f = IPACertRevocation(registry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 2
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertRevocation'
result = self.results.results[1]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertRevocation'
assert result.kw.get('revocation_reason') == 'superseded'