Adding test-cases for ipa-cacert-manage

Scenario1: Setup external CA1 and install ipa-server with CA1. Setup exteranal CA2 and renew ipa-server with CA2. Get information to compare CA change for ca1 and CA2 it should show different Issuer between install and renewal. Scenario2: Renew CA Cert on Replica using ipa-cacert-manage verify that replica is caRenewalMaster Signed-off-by: Anuja More <amore@redhat.com>
freeipa · Apr 25, 2018 · eb176a4 · eb176a4
1 parent 6c4635e
commit eb176a4
Show file tree

Hide file tree

Showing 3 changed files with 95 additions and 136 deletions.
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
@@ -11,6 +11,10 @@ topologies:
     name: master_1repl_1client
     cpu: 4
     memory: 6700
+  master_2repl_1client: &master_2repl_1client
+    name: master_1repl_1client
+    cpu: 4
+    memory: 6700
 
 jobs:
   fedora-27/build:
@@ -27,31 +31,19 @@ jobs:
         timeout: 1800
         topology: *build
 
-  fedora-27/simple_replication:
-    requires: [fedora-27/build]
-    priority: 50
-    job:
-      class: RunPytest
-      args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_simple_replication.py
-        template: *ci-master-f27
-        timeout: 3600
-        topology: *master_1repl
-
-  fedora-27/caless:
+  fedora-27/test_replica_promotion:
     requires: [fedora-27/build]
     priority: 50
     job:
       class: RunPytest
       args:
         build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull
+        test_suite: test_integration/test_replica_promotion.py
         template: *ci-master-f27
         timeout: 3600
-        topology: *master_1repl
+        topology: *master_2repl_1client
 
-  fedora-27/external_ca:
+  fedora-27/test_external_ca:
     requires: [fedora-27/build]
     priority: 50
     job:
@@ -60,125 +52,6 @@ jobs:
         build_url: '{fedora-27/build_url}'
         test_suite: test_integration/test_external_ca.py
         template: *ci-master-f27
-        timeout: 3600
-        topology: *master_1repl
-
-  fedora-27/test_topologies:
-    requires: [fedora-27/build]
-    priority: 50
-    job:
-      class: RunPytest
-      args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_topologies.py
-        template: *ci-master-f27
-        timeout: 3600
-        topology: *master_1repl
-
-  fedora-27/test_sudo:
-    requires: [fedora-27/build]
-    priority: 50
-    job:
-      class: RunPytest
-      args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_sudo.py
-        template: *ci-master-f27
-        timeout: 3600
-        topology: *master_1repl_1client
-
-  fedora-27/test_kerberos_flags:
-    requires: [fedora-27/build]
-    priority: 50
-    job:
-      class: RunPytest
-      args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_kerberos_flags.py
-        template: *ci-master-f27
-        timeout: 3600
-        topology: *master_1repl_1client
-
-  fedora-27/test_http_kdc_proxy:
-    requires: [fedora-27/build]
-    priority: 50
-    job:
-      class: RunPytest
-      args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_http_kdc_proxy.py
-        template: *ci-master-f27
-        timeout: 3600
-        topology: *master_1repl_1client
-
-  fedora-27/test_forced_client_enrolment:
-    requires: [fedora-27/build]
-    priority: 50
-    job:
-      class: RunPytest
-      args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_forced_client_reenrollment.py
-        template: *ci-master-f27
-        timeout: 3600
-        topology: *master_1repl_1client
-
-  fedora-27/test_advise:
-    requires: [fedora-27/build]
-    priority: 50
-    job:
-      class: RunPytest
-      args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_advise.py
-        template: *ci-master-f27
-        timeout: 3600
-        topology: *master_1repl
-
-  fedora-27/test_testconfig:
-    requires: [fedora-27/build]
-    priority: 50
-    job:
-      class: RunPytest
-      args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_testconfig.py
-        template: *ci-master-f27
-        timeout: 3600
+        timeout: 4600
         topology: *master_1repl
 
-  fedora-27/test_service_permissions:
-    requires: [fedora-27/build]
-    priority: 50
-    job:
-      class: RunPytest
-      args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_service_permissions.py
-        template: *ci-master-f27
-        timeout: 3600
-        topology: *master_1repl
-
-  fedora-27/test_netgroup:
-    requires: [fedora-27/build]
-    priority: 50
-    job:
-      class: RunPytest
-      args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_netgroup.py
-        template: *ci-master-f27
-        timeout: 3600
-        topology: *master_1repl
-
-  fedora-27/test_vault:
-    requires: [fedora-27/build]
-    priority: 50
-    job:
-      class: RunPytest
-      args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_vault.py
-        template: *ci-master-f27
-        timeout: 3600
-        topology: *master_1repl
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
@@ -279,3 +279,77 @@ def test_install_external_ca(self):
         # Install new cert
         self.master.run_command([paths.IPA_CACERT_MANAGE, 'install',
                                  root_ca_fname])
+
+
+class TestMultipleExternalCA(IntegrationTest):
+    """setup ext-ca1 install ipa-server with ca1
+     setup ext-ca2 renew ipa-server with ext-ca2
+     check the difference in certificate"""
+
+    def test_master_install_ca1(self):
+
+        install_server_external_ca_step1(self.master)
+        # Sign CA, transport it to the host and get ipa a root ca paths.
+
+        test_dir1 = os.path.join(self.master.config.test_dir, 'CA1')
+        self.master.run_command(['mkdir', test_dir1])
+        # Get IPA CSR as bytes
+        ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR,)
+
+        external_ca = ExternalCA()
+        # Create root CA
+        root_ca = external_ca.create_ca(cn='RootCA1')
+        # Sign CSR
+        ipa_ca = external_ca.sign_csr(ipa_csr)
+
+        root_ca_fname1 = os.path.join(test_dir1, ROOT_CA)
+        ipa_ca_fname1 = os.path.join(test_dir1, IPA_CA)
+
+        # Transport certificates (string > file) to master
+        self.master.put_file_contents(root_ca_fname1, root_ca)
+        self.master.put_file_contents(ipa_ca_fname1, ipa_ca)
+
+        # Step 2 of ipa-server-install.
+        install_server_external_ca_step2(self.master, ipa_ca_fname1,
+                                         root_ca_fname1)
+
+        str1 = "caSigningCert cert-pki-ca"
+        info1 = self.master.run_command(['certutil', '-L', '-d',
+                                         paths.PKI_TOMCAT_ALIAS_DIR,
+                                         '-n', str1]).stdout_text
+        assert "CN=RootCA1" in info1
+
+    def test_master_install_ca2(self):
+
+        test_dir2 = os.path.join(self.master.config.test_dir, 'CA2')
+
+        self.master.run_command(['mkdir', test_dir2])
+
+        self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
+                                 '--external-ca'])
+
+        # Get IPA CSR as bytes
+        ipa_csr = self.master.get_file_contents(paths.IPA_CA_CSR)
+
+        external_ca = ExternalCA()
+        # Create root CA
+        root_ca = external_ca.create_ca(cn='RootCA2')
+        # Sign CSR
+        ipa_ca = external_ca.sign_csr(ipa_csr)
+
+        root_ca_fname2 = os.path.join(test_dir2, ROOT_CA)
+        ipa_ca_fname2 = os.path.join(test_dir2, IPA_CA)
+
+        # Transport certificates (string > file) to master
+        self.master.put_file_contents(root_ca_fname2, root_ca)
+        self.master.put_file_contents(ipa_ca_fname2, ipa_ca)
+
+        # Step 2 of ipa-server-install.
+        self.master.run_command(['ipa-cacert-manage', 'renew',
+                                 '--external-cert-file', ipa_ca_fname2,
+                                 '--external-cert-file', root_ca_fname2])
+        str1 = "caSigningCert cert-pki-ca"
+        info2 = self.master.run_command(['certutil', '-L', '-d',
+                                         paths.PKI_TOMCAT_ALIAS_DIR,
+                                         '-n', str1]).stdout_text
+        assert "CN=RootCA2" in info2
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
@@ -484,6 +484,18 @@ def test_replica_not_marked_as_renewal_master(self):
             "Replica hostname found among CA renewal masters"
         )
 
+    def test_renewal_replica_with_ipa_ca_cert_manage(self):
+        """Make replica as IPA CA renewal master using
+        ipa-cacert-manage --renew"""
+        master = self.master
+        replica = self.replicas[0]
+        self.assertCARenewalMaster(master, master.hostname)
+        replica.run_command([paths.IPA_CACERT_MANAGE, 'renew'])
+        self.assertCARenewalMaster(replica, replica.hostname)
+        # set master back to ca-renewal-master
+        master.run_command([paths.IPA_CACERT_MANAGE, 'renew'])
+        self.assertCARenewalMaster(master, master.hostname)
+
     def test_manual_renewal_master_transfer(self):
         replica = self.replicas[0]
         replica.run_command(['ipa', 'config-mod',