Skip to content

Commit

Permalink
Adding test-cases for ipa-cacert-manage
Browse files Browse the repository at this point in the history 
Scenario1:	Setup external CA1 and install ipa-server with CA1.
     		Setup exteranal CA2 and renew ipa-server with CA2.
		Get information to compare CA change for ca1 and CA2
     		it should show different Issuer between install
		and renewal.

Scenario2:	Renew CA Cert on Replica using ipa-cacert-manage
		verify that replica is caRenewalMaster

Signed-off-by: Anuja More <amore@redhat.com>
  • Loading branch information
@amore17
amore17 committed Apr 27, 2018
1 parent 6c4635e commit 6e60e5d
Show file tree
Hide file tree
Showing 3 changed files with 81 additions and 137 deletions.
147 changes: 10 additions & 137 deletions .freeipa-pr-ci.yaml
View file
Expand Up @@ -11,6 +11,10 @@ topologies:
name: master_1repl_1client
cpu: 4
memory: 6700
master_2repl_1client: &master_2repl_1client
name: master_1repl_1client
cpu: 4
memory: 6700

jobs:
fedora-27/build:
Expand All @@ -27,31 +31,19 @@ jobs:
timeout: 1800
topology: *build

fedora-27/simple_replication:
fedora-27/test_replica_promotion:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_simple_replication.py
test_suite: test_integration/test_replica_promotion.py
template: *ci-master-f27
timeout: 3600
topology: *master_1repl

fedora-27/caless:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull
template: *ci-master-f27
timeout: 3600
topology: *master_1repl
timeout: 10900
topology: *master_2repl_1client

fedora-27/external_ca:
fedora-27/test_external_ca:
requires: [fedora-27/build]
priority: 50
job:
Expand All @@ -60,125 +52,6 @@ jobs:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_external_ca.py
template: *ci-master-f27
timeout: 3600
topology: *master_1repl

fedora-27/test_topologies:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_topologies.py
template: *ci-master-f27
timeout: 3600
topology: *master_1repl

fedora-27/test_sudo:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_sudo.py
template: *ci-master-f27
timeout: 3600
topology: *master_1repl_1client

fedora-27/test_kerberos_flags:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_kerberos_flags.py
template: *ci-master-f27
timeout: 3600
topology: *master_1repl_1client

fedora-27/test_http_kdc_proxy:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_http_kdc_proxy.py
template: *ci-master-f27
timeout: 3600
topology: *master_1repl_1client

fedora-27/test_forced_client_enrolment:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_forced_client_reenrollment.py
template: *ci-master-f27
timeout: 3600
topology: *master_1repl_1client

fedora-27/test_advise:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_advise.py
template: *ci-master-f27
timeout: 3600
topology: *master_1repl

fedora-27/test_testconfig:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_testconfig.py
template: *ci-master-f27
timeout: 3600
timeout: 5600
topology: *master_1repl

fedora-27/test_service_permissions:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_service_permissions.py
template: *ci-master-f27
timeout: 3600
topology: *master_1repl

fedora-27/test_netgroup:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_netgroup.py
template: *ci-master-f27
timeout: 3600
topology: *master_1repl

fedora-27/test_vault:
requires: [fedora-27/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_vault.py
template: *ci-master-f27
timeout: 3600
topology: *master_1repl
58 changes: 58 additions & 0 deletions ipatests/test_integration/test_external_ca.py
View file
Expand Up @@ -20,6 +20,7 @@
import os
import re
import time
import tempfile

from ipatests.pytest_plugins.integration import tasks
from ipatests.test_integration.base import IntegrationTest
Expand Down Expand Up @@ -279,3 +280,60 @@ def test_install_external_ca(self):
# Install new cert
self.master.run_command([paths.IPA_CACERT_MANAGE, 'install',
root_ca_fname])


class TestMultipleExternalCA(IntegrationTest):
"""Setup externally signed ca1
install ipa-server with with externally signed ca1
Setup externally signed ca2 and renew ipa-server with
externally signed ca2 and check the difference in certificate
"""

def test_master_install_ca1(self):
install_server_external_ca_step1(self.master)
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname1 = tempfile.mkdtemp(suffix='root_ca.crt', dir=paths.TMP)
ipa_ca_fname1 = tempfile.mkdtemp(suffix='ipa_ca.crt', dir=paths.TMP)

ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)

external_ca = ExternalCA()
root_ca = external_ca.create_ca(cn='RootCA1')
ipa_ca = external_ca.sign_csr(ipa_csr)
self.master.put_file_contents(root_ca_fname1, root_ca)
self.master.put_file_contents(ipa_ca_fname1, ipa_ca)
# Step 2 of ipa-server-install.
install_server_external_ca_step2(self.master, ipa_ca_fname1,
root_ca_fname1)

cert_nick = "caSigningCert cert-pki-ca"
result = self.master.run_command([
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
'-n', cert_nick])
assert "CN=RootCA1" in result.stdout_text

def test_master_install_ca2(self):
root_ca_fname2 = tempfile.mkdtemp(suffix='root_ca.crt', dir=paths.TMP)
ipa_ca_fname2 = tempfile.mkdtemp(suffix='ipa_ca.crt', dir=paths.TMP)

self.master.run_command([
paths.IPA_CACERT_MANAGE, 'renew', '--external-ca'])

ipa_csr = self.master.get_file_contents(paths.IPA_CA_CSR)

external_ca = ExternalCA()
root_ca = external_ca.create_ca(cn='RootCA2')
ipa_ca = external_ca.sign_csr(ipa_csr)
self.master.put_file_contents(root_ca_fname2, root_ca)
self.master.put_file_contents(ipa_ca_fname2, ipa_ca)
# Step 2 of ipa-server-install.
self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
'--external-cert-file', ipa_ca_fname2,
'--external-cert-file', root_ca_fname2])

cert_nick = "caSigningCert cert-pki-ca"
result = self.master.run_command([
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
'-n', cert_nick])
assert "CN=RootCA2" in result.stdout_text
13 changes: 13 additions & 0 deletions ipatests/test_integration/test_replica_promotion.py
View file
Expand Up @@ -484,6 +484,19 @@ def test_replica_not_marked_as_renewal_master(self):
"Replica hostname found among CA renewal masters"
)

def test_renewal_replica_with_ipa_ca_cert_manage(self):
"""Make replica as IPA CA renewal master using
ipa-cacert-manage --renew"""
master = self.master
replica = self.replicas[0]
self.assertCARenewalMaster(master, master.hostname)
replica.run_command([paths.IPA_CACERT_MANAGE, 'renew'])
self.assertCARenewalMaster(replica, replica.hostname)
# set master back to ca-renewal-master
master.run_command([paths.IPA_CACERT_MANAGE, 'renew'])
self.assertCARenewalMaster(master, master.hostname)
self.assertCARenewalMaster(replica, master.hostname)

def test_manual_renewal_master_transfer(self):
replica = self.replicas[0]
replica.run_command(['ipa', 'config-mod',
Expand Down

0 comments on commit 6e60e5d

Please sign in to comment.