From cf661b5052bae3bd93df9c945c96f5e6d4c5f1b8 Mon Sep 17 00:00:00 2001 From: Anuja More Date: Wed, 25 Apr 2018 13:38:33 +0530 Subject: [PATCH] Adding test-cases for ipa-cacert-manage Scenario1: Setup external CA1 and install ipa-server with CA1. Setup exteranal CA2 and renew ipa-server with CA2. Get information to compare CA change for ca1 and CA2 it should show different Issuer between install and renewal. Scenario2: Renew CA Cert on Replica using ipa-cacert-manage verify that replica is caRenewalMaster Signed-off-by: Anuja More --- .freeipa-pr-ci.yaml | 147 ++---------------- ipatests/test_integration/test_external_ca.py | 74 +++++++++ .../test_replica_promotion.py | 12 ++ 3 files changed, 96 insertions(+), 137 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index c95bef79e2b..3b772a16c42 100644 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -11,6 +11,10 @@ topologies: name: master_1repl_1client cpu: 4 memory: 6700 + master_2repl_1client: &master_2repl_1client + name: master_1repl_1client + cpu: 4 + memory: 6700 jobs: fedora-27/build: @@ -27,31 +31,19 @@ jobs: timeout: 1800 topology: *build - fedora-27/simple_replication: + fedora-27/test_replica_promotion: requires: [fedora-27/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-27/build_url}' - test_suite: test_integration/test_simple_replication.py + test_suite: test_integration/test_replica_promotion.py template: *ci-master-f27 - timeout: 3600 - topology: *master_1repl - - fedora-27/caless: - requires: [fedora-27/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-27/build_url}' - test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull - template: *ci-master-f27 - timeout: 3600 - topology: *master_1repl + timeout: 10900 + topology: *master_2repl_1client - fedora-27/external_ca: + fedora-27/test_external_ca: requires: [fedora-27/build] priority: 50 job: @@ -60,125 +52,6 @@ jobs: build_url: '{fedora-27/build_url}' test_suite: test_integration/test_external_ca.py template: *ci-master-f27 - timeout: 3600 - topology: *master_1repl - - fedora-27/test_topologies: - requires: [fedora-27/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-27/build_url}' - test_suite: test_integration/test_topologies.py - template: *ci-master-f27 - timeout: 3600 - topology: *master_1repl - - fedora-27/test_sudo: - requires: [fedora-27/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-27/build_url}' - test_suite: test_integration/test_sudo.py - template: *ci-master-f27 - timeout: 3600 - topology: *master_1repl_1client - - fedora-27/test_kerberos_flags: - requires: [fedora-27/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-27/build_url}' - test_suite: test_integration/test_kerberos_flags.py - template: *ci-master-f27 - timeout: 3600 - topology: *master_1repl_1client - - fedora-27/test_http_kdc_proxy: - requires: [fedora-27/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-27/build_url}' - test_suite: test_integration/test_http_kdc_proxy.py - template: *ci-master-f27 - timeout: 3600 - topology: *master_1repl_1client - - fedora-27/test_forced_client_enrolment: - requires: [fedora-27/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-27/build_url}' - test_suite: test_integration/test_forced_client_reenrollment.py - template: *ci-master-f27 - timeout: 3600 - topology: *master_1repl_1client - - fedora-27/test_advise: - requires: [fedora-27/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-27/build_url}' - test_suite: test_integration/test_advise.py - template: *ci-master-f27 - timeout: 3600 - topology: *master_1repl - - fedora-27/test_testconfig: - requires: [fedora-27/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-27/build_url}' - test_suite: test_integration/test_testconfig.py - template: *ci-master-f27 - timeout: 3600 + timeout: 4600 topology: *master_1repl - fedora-27/test_service_permissions: - requires: [fedora-27/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-27/build_url}' - test_suite: test_integration/test_service_permissions.py - template: *ci-master-f27 - timeout: 3600 - topology: *master_1repl - - fedora-27/test_netgroup: - requires: [fedora-27/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-27/build_url}' - test_suite: test_integration/test_netgroup.py - template: *ci-master-f27 - timeout: 3600 - topology: *master_1repl - - fedora-27/test_vault: - requires: [fedora-27/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-27/build_url}' - test_suite: test_integration/test_vault.py - template: *ci-master-f27 - timeout: 3600 - topology: *master_1repl diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py index a6f96674a09..18a15e537e9 100644 --- a/ipatests/test_integration/test_external_ca.py +++ b/ipatests/test_integration/test_external_ca.py @@ -279,3 +279,77 @@ def test_install_external_ca(self): # Install new cert self.master.run_command([paths.IPA_CACERT_MANAGE, 'install', root_ca_fname]) + + +class TestMultipleExternalCA(IntegrationTest): + """setup ext-ca1 install ipa-server with ca1 + setup ext-ca2 renew ipa-server with ext-ca2 + check the difference in certificate""" + + def test_master_install_ca1(self): + + install_server_external_ca_step1(self.master) + # Sign CA, transport it to the host and get ipa a root ca paths. + + test_dir1 = os.path.join(self.master.config.test_dir, 'CA1') + self.master.run_command(['mkdir', test_dir1]) + # Get IPA CSR as bytes + ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR,) + + external_ca = ExternalCA() + # Create root CA + root_ca = external_ca.create_ca(cn='RootCA1') + # Sign CSR + ipa_ca = external_ca.sign_csr(ipa_csr) + + root_ca_fname1 = os.path.join(test_dir1, ROOT_CA) + ipa_ca_fname1 = os.path.join(test_dir1, IPA_CA) + + # Transport certificates (string > file) to master + self.master.put_file_contents(root_ca_fname1, root_ca) + self.master.put_file_contents(ipa_ca_fname1, ipa_ca) + + # Step 2 of ipa-server-install. + install_server_external_ca_step2(self.master, ipa_ca_fname1, + root_ca_fname1) + + str1 = "caSigningCert cert-pki-ca" + info1 = self.master.run_command(['certutil', '-L', '-d', + paths.PKI_TOMCAT_ALIAS_DIR, + '-n', str1]).stdout_text + assert "CN=RootCA1" in info1 + + def test_master_install_ca2(self): + + test_dir2 = os.path.join(self.master.config.test_dir, 'CA2') + + self.master.run_command(['mkdir', test_dir2]) + + self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew', + '--external-ca']) + + # Get IPA CSR as bytes + ipa_csr = self.master.get_file_contents(paths.IPA_CA_CSR) + + external_ca = ExternalCA() + # Create root CA + root_ca = external_ca.create_ca(cn='RootCA2') + # Sign CSR + ipa_ca = external_ca.sign_csr(ipa_csr) + + root_ca_fname2 = os.path.join(test_dir2, ROOT_CA) + ipa_ca_fname2 = os.path.join(test_dir2, IPA_CA) + + # Transport certificates (string > file) to master + self.master.put_file_contents(root_ca_fname2, root_ca) + self.master.put_file_contents(ipa_ca_fname2, ipa_ca) + + # Step 2 of ipa-server-install. + self.master.run_command(['ipa-cacert-manage', 'renew', + '--external-cert-file', ipa_ca_fname2, + '--external-cert-file', root_ca_fname2]) + str1 = "caSigningCert cert-pki-ca" + info2 = self.master.run_command(['certutil', '-L', '-d', + paths.PKI_TOMCAT_ALIAS_DIR, + '-n', str1]).stdout_text + assert "CN=RootCA2" in info2 diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 28052a112b2..1f0ec3f67e0 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -484,6 +484,18 @@ def test_replica_not_marked_as_renewal_master(self): "Replica hostname found among CA renewal masters" ) + def test_renewal_replica_with_ipa_ca_cert_manage(self): + """Make replica as IPA CA renewal master using + ipa-cacert-manage --renew""" + master = self.master + replica = self.replicas[0] + self.assertCARenewalMaster(master, master.hostname) + replica.run_command([paths.IPA_CACERT_MANAGE, 'renew']) + self.assertCARenewalMaster(replica, replica.hostname) + # set master back to ca-renewal-master + master.run_command([paths.IPA_CACERT_MANAGE, 'renew']) + self.assertCARenewalMaster(master, master.hostname) + def test_manual_renewal_master_transfer(self): replica = self.replicas[0] replica.run_command(['ipa', 'config-mod',