def test_external_ca(self): # Step 1 of ipa-server-install. install_server_external_ca_step1(self.master) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. install_server_external_ca_step2(self.master, ipa_ca_fname, root_ca_fname) self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew', '--external-ca']) result = self.master.run_command(['grep', '-v', 'CERTIFICATE', ipa_ca_fname]) contents = result.stdout_text BAD_CERT = 'bad_ca.crt' invalid_cert = os.path.join(self.master.config.test_dir, BAD_CERT) self.master.put_file_contents(invalid_cert, contents) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA) # renew CA with invalid cert cmd = [paths.IPA_CACERT_MANAGE, 'renew', '--external-cert-file', invalid_cert, '--external-cert-file', root_ca_fname] result = self.master.run_command(cmd, raiseonerr=False) assert result.returncode == 1
def test_external_ca(self): # Step 1 of ipa-server-install. install_server_external_ca_step1(self.master) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. install_server_external_ca_step2(self.master, ipa_ca_fname, root_ca_fname) self.master.run_command( [paths.IPA_CACERT_MANAGE, 'renew', '--external-ca']) result = self.master.run_command( ['grep', '-v', 'CERTIFICATE', ipa_ca_fname]) contents = result.stdout_text BAD_CERT = 'bad_ca.crt' invalid_cert = os.path.join(self.master.config.test_dir, BAD_CERT) self.master.put_file_contents(invalid_cert, contents) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA) # renew CA with invalid cert cmd = [ paths.IPA_CACERT_MANAGE, 'renew', '--external-cert-file', invalid_cert, '--external-cert-file', root_ca_fname ] result = self.master.run_command(cmd, raiseonerr=False) assert result.returncode == 1
def test_switch_to_external_ca(self): result = self.master.run_command( [paths.IPA_CACERT_MANAGE, 'renew', '--external-ca']) assert result.returncode == 0 # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA) # renew CA with externally signed one result = self.master.run_command([ paths.IPA_CACERT_MANAGE, 'renew', '--external-cert-file={}'.format(ipa_ca_fname), '--external-cert-file={}'.format(root_ca_fname) ]) assert result.returncode == 0 # update IPA certificate databases result = self.master.run_command([paths.IPA_CERTUPDATE]) assert result.returncode == 0 # Check if external CA have "C" flag after the switch result = check_CA_flag(self.master) assert bool(result), ('External CA does not have "C" flag') # Check that ldap entries for the CA have been updated remote_cacrt = self.master.get_file_contents(ipa_ca_fname) cacrt = ipa_x509.load_pem_x509_certificate(remote_cacrt) verify_caentry(self.master, cacrt)
def test_switch_to_external_ca(self): result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew', '--external-ca']) assert result.returncode == 0 # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA) # renew CA with externally signed one result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew', '--external-cert-file={}'. format(ipa_ca_fname), '--external-cert-file={}'. format(root_ca_fname)]) assert result.returncode == 0 # update IPA certificate databases result = self.master.run_command([paths.IPA_CERTUPDATE]) assert result.returncode == 0 # Check if external CA have "C" flag after the switch result = check_CA_flag(self.master) assert bool(result), ('External CA does not have "C" flag')
def test_external_ca(self): # Step 1 of ipa-server-install. result = install_server_external_ca_step1(self.master) assert result.returncode == 0 # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2(self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text # check that we can also install replica tasks.install_replica(self.master, self.replicas[0]) # check that nsds5ReplicaReleaseTimeout option was set result = self.master.run_command([ 'ldapsearch', '-x', '-D', 'cn=directory manager', '-w', self.master.config.dirman_password, '-b', 'cn=mapping tree,cn=config', '(cn=replica)', '-LLL', '-o', 'ldif-wrap=no' ]) # case insensitive match text = result.stdout_text.lower() # see ipaserver.install.replication.REPLICA_FINAL_SETTINGS assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_invalid_intermediate(self): install_server_external_ca_step1(self.master) root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA, root_ca_path_length=0 ) result = install_server_external_ca_step2( self.master, ipa_ca_fname, root_ca_fname, raiseonerr=False ) assert result.returncode > 0 assert "basic contraint pathlen" in result.stderr_text
def test_invalid_intermediate(self): install_server_external_ca_step1(self.master) root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA, root_ca_path_length=0) result = install_server_external_ca_step2(self.master, ipa_ca_fname, root_ca_fname, raiseonerr=False) assert result.returncode > 0 assert "basic contraint pathlen" in result.stderr_text
def test_external_ca_with_too_small_key(self): # reuse the existing deployment and renewal CSR root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA, key_size=1024) cmd = [ paths.IPA_CACERT_MANAGE, 'renew', '--external-cert-file', ipa_ca_fname, '--external-cert-file', root_ca_fname, ] result = self.master.run_command(cmd, raiseonerr=False) assert result.returncode == 1
def install(cls, mh): super(TestACMEwithExternalCA, cls).install(mh) # install master with external-ca result = install_server_external_ca_step1(cls.master) assert result.returncode == 0 root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( cls.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) install_server_external_ca_step2(cls.master, ipa_ca_fname, root_ca_fname) tasks.kinit_admin(cls.master) tasks.install_client(cls.master, cls.clients[0]) tasks.install_replica(cls.master, cls.replicas[0])
def install(cls, mh): cls.prepare_acme_client() # install master with external-ca result = install_server_external_ca_step1(cls.master) assert result.returncode == 0 root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( cls.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) install_server_external_ca_step2(cls.master, ipa_ca_fname, root_ca_fname) tasks.kinit_admin(cls.master) tasks.install_client(cls.master, cls.clients[0]) tasks.config_host_resolvconf_with_master_data(cls.master, cls.clients[0])
def test_external_ca_dirsrv_stop(self): # Step 1 of ipa-server-install result = install_server_external_ca_step1(self.master) assert result.returncode == 0 # stop dirsrv server. service_control_dirsrv(self.master, 'stop') # Sign CA, transport it to the host and get ipa and root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2(self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text
def test_external_ca_constrained(self): install_server_external_ca_step1(self.master) # name constraints for IPA DNS domain (dot prefix) nameconstraint = x509.NameConstraints(permitted_subtrees=[ x509.DNSName("." + self.master.domain.name), ], excluded_subtrees=None) root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA, root_ca_extensions=[nameconstraint], ) install_server_external_ca_step2(self.master, ipa_ca_fname, root_ca_fname) tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'ping'])
def test_external_ca_dirsrv_stop(self): # Step 1 of ipa-server-install result = install_server_external_ca_step1(self.master) assert result.returncode == 0 # stop dirsrv server. service_control_dirsrv(self.master, 'stop') # Sign CA, transport it to the host and get ipa and root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2( self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text
def test_external_ca(self): # Step 1 of ipa-server-install. result = install_server_external_ca_step1( self.master, extra_args=['--external-ca-type=ms-cs'] ) assert result.returncode == 0 # check CSR for extension ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR) check_mscs_extension(ipa_csr, MSCSTemplateV1(u'SubCA')) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2( self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text # check that we can also install replica tasks.install_replica(self.master, self.replicas[0]) # check that nsds5ReplicaReleaseTimeout option was set result = tasks.ldapsearch_dm( self.master, 'cn=mapping tree,cn=config', ['(cn=replica)'], ) # case insensitive match text = result.stdout_text.lower() # see ipaserver.install.replication.REPLICA_FINAL_SETTINGS assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_external_ca(self): # Step 1 of ipa-server-install. result = install_server_external_ca_step1( self.master, extra_args=['--external-ca-type=ms-cs']) assert result.returncode == 0 # check CSR for extension ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR) check_mscs_extension(ipa_csr, ipa_x509.MSCSTemplateV1(u'SubCA')) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2(self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text # check that we can also install replica tasks.install_replica(self.master, self.replicas[0]) # check that nsds5ReplicaReleaseTimeout option was set result = tasks.ldapsearch_dm( self.master, 'cn=mapping tree,cn=config', ['(cn=replica)'], ) # case insensitive match text = result.stdout_text.lower() # see ipaserver.install.replication.REPLICA_FINAL_SETTINGS assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text