From 94ca49d991b3f5bb404533f84970a1b2485d9cc8 Mon Sep 17 00:00:00 2001

From: Antonio Torres <antorres@redhat.com>

Date: Fri, 23 Apr 2021 17:48:14 +0200

Subject: [PATCH] Add tests for certificate mismatch detection

Add tests for the IPACertMatchCheck and IPADogtagCertsMatchCheck plugins.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1886770

Signed-off-by: Antonio Torres <antorres@redhat.com>

---

 tests/test_ipa_cert_match.py | 282 +++++++++++++++++++++++++++++++++++

 1 file changed, 282 insertions(+)

 create mode 100644 tests/test_ipa_cert_match.py

diff --git a/tests/test_ipa_cert_match.py b/tests/test_ipa_cert_match.py

new file mode 100644

index 0000000..460e61a

--- /dev/null

+++ b/tests/test_ipa_cert_match.py

@@ -0,0 +1,282 @@

+#

+# Copyright (C) 2021 FreeIPA Contributors see COPYING for license

+#

+

+from util import capture_results, m_api, CAInstance, KRAInstance

+from base import BaseTest

+from ipahealthcheck.core import config, constants

+from ipahealthcheck.ipa.plugin import registry

+from ipahealthcheck.ipa.certs import IPACertMatchCheck

+from ipahealthcheck.ipa.certs import IPADogtagCertsMatchCheck

+from unittest.mock import Mock, patch

+

+from ipalib import errors

+from ipapython.dn import DN

+from ipapython.ipaldap import LDAPClient, LDAPEntry

+

+

+class IPACertificate:

+    def __init__(self, serial_number=1):

+        self.serial_number = serial_number

+

+    def __eq__(self, other):

+        return self.serial_number == other.serial_number

+

+    def __hash__(self):

+        return hash(self.serial_number)

+

+

+class mock_ldap:

+    SCOPE_BASE = 1

+    SCOPE_ONELEVEL = 2

+    SCOPE_SUBTREE = 4

+

+    def __init__(self, entries):

+        """Initialize the results that we will return from get_entry"""

+        self.results = {entry.dn: entry for entry in entries}

+

+    def get_entry(self, dn, attrs_list=None, time_limit=None,

+                  size_limit=None, get_effective_rights=False):

+        if self.results is None:

+            raise errors.NotFound(reason='test')

+        return self.results[dn]

+

+    def get_entries(self, base_dn, scope=SCOPE_SUBTREE, filter=None,

+                    attrs_list=None, get_effective_rights=False, **kwargs):

+        if self.results is None:

+            raise errors.NotFound(reason='test')

+        return self.results.values()

+

+

+class mock_ldap_conn:

+    def set_option(self, option, invalue):

+        pass

+

+    def search_s(self, base, scope, filterstr=None,

+                 attrlist=None, attrsonly=0):

+        return tuple()

+

+

+class mock_CertDB:

+    def __init__(self, trust):

+        """A dict of nickname + NSSdb trust flags"""

+        self.trust = trust

+        self.secdir = '/foo/bar/testdir'

+

+    def get_cert_from_db(self, nickname):

+        if nickname not in self.trust.keys():

+            raise errors.NotFound(reason='test')

+        return IPACertificate()

+

+    def run_certutil(self, args, capture_output):

+        class RunResult:

+            def __init__(self, output):

+                self.raw_output = output

+

+        return RunResult(b'test output')

+

+

+class TestIPACertMatch(BaseTest):

+    patches = {

+        'ldap.initialize':

+        Mock(return_value=mock_ldap_conn())

+    }

+

+    @patch('ipalib.x509.load_certificate_list_from_file')

+    @patch('ipaserver.install.certs.CertDB')

+    def test_certs_match_ok(self, mock_certdb, mock_load_cert):

+        """ Ensure match check is ok"""

+        fake_conn = LDAPClient('ldap://localhost', no_schema=True)

+        cacertentry = LDAPEntry(fake_conn,

+                                DN('cn=%s IPA CA' % m_api.env.realm,

+                                   'cn=certificates,cn=ipa,cn=etc',

+                                    m_api.env.basedn),

+                                CACertificate=[IPACertificate()])

+        trust = {

+            ('%s IPA CA' % m_api.env.realm): 'u,u,u'

+        }

+

+        mock_certdb.return_value = mock_CertDB(trust)

+        mock_load_cert.return_value = [IPACertificate()]

+

+        framework = object()

+        registry.initialize(framework, config.Config())

+        f = IPACertMatchCheck(registry)

+        f.conn = mock_ldap([cacertentry])

+        self.results = capture_results(f)

+

+        assert len(self.results) == 3

+        for result in self.results.results:

+            assert result.result == constants.SUCCESS

+            assert result.source == 'ipahealthcheck.ipa.certs'

+            assert result.check == 'IPACertMatchCheck'

+

+    @patch('ipalib.x509.load_certificate_list_from_file')

+    @patch('ipaserver.install.certs.CertDB')

+    def test_etc_cacert_mismatch(self, mock_certdb, mock_load_cert):

+        """ Test mismatch with /etc/ipa/ca.crt """

+        fake_conn = LDAPClient('ldap://localhost', no_schema=True)

+        cacertentry = LDAPEntry(fake_conn,

+                                DN('cn=%s IPA CA' % m_api.env.realm,

+                                   'cn=certificates,cn=ipa,cn=etc',

+                                    m_api.env.basedn),

+                                CACertificate=[IPACertificate()])

+        trust = {

+            ('%s IPA CA' % m_api.env.realm): 'u,u,u'

+        }

+

+        mock_certdb.return_value = mock_CertDB(trust)

+        mock_load_cert.return_value = [IPACertificate(serial_number=2)]

+

+        framework = object()

+        registry.initialize(framework, config.Config())

+        f = IPACertMatchCheck(registry)

+        f.conn = mock_ldap([cacertentry])

+        self.results = capture_results(f)

+

+        assert len(self.results) == 3

+        result = self.results.results[0]

+        assert result.result == constants.ERROR

+        assert result.source == 'ipahealthcheck.ipa.certs'

+        assert result.check == 'IPACertMatchCheck'

+

+    @patch('ipaserver.install.cainstance.CAInstance')

+    def test_cacert_caless(self, mock_cainstance):

+        """Nothing to check if the master is CALess"""

+

+        mock_cainstance.return_value = CAInstance(False)

+

+        framework = object()

+        registry.initialize(framework, config)

+        f = IPACertMatchCheck(registry)

+

+        self.results = capture_results(f)

+

+        assert len(self.results) == 0

+

+

+class TestIPADogtagCertMatch(BaseTest):

+    patches = {

+        'ipaserver.install.krainstance.KRAInstance':

+        Mock(return_value=KRAInstance()),

+    }

+

+    @patch('ipaserver.install.certs.CertDB')

+    def test_certs_match_ok(self, mock_certdb):

+        """ Ensure match check is ok"""

+        fake_conn = LDAPClient('ldap://localhost', no_schema=True)

+        pkidbentry = LDAPEntry(fake_conn,

+                               DN('uid=pkidbuser,ou=people,o=ipaca'),

+                               userCertificate=[IPACertificate()],

+                               subjectName=['test'])

+        casignentry = LDAPEntry(fake_conn,

+                                DN('cn=%s IPA CA' % m_api.env.realm,

+                                   'cn=certificates,cn=ipa,cn=etc',

+                                    m_api.env.basedn),

+                                CACertificate=[IPACertificate()],

+                                userCertificate=[IPACertificate()],

+                                subjectName=['test'])

+        ldap_entries = [pkidbentry, casignentry]

+        trust = {

+            'ocspSigningCert cert-pki-ca': 'u,u,u',

+            'caSigningCert cert-pki-ca': 'u,u,u',

+            'subsystemCert cert-pki-ca': 'u,u,u',

+            'auditSigningCert cert-pki-ca': 'u,u,Pu',

+            'Server-Cert cert-pki-ca': 'u,u,u',

+            'transportCert cert-pki-kra': 'u,u,u',

+            'storageCert cert-pki-kra': 'u,u,u',

+            'auditSigningCert cert-pki-kra': 'u,u,Pu',

+        }

+

+        dogtag_entries_subjects = (

+            'CN=OCSP Subsystem,O=%s' % m_api.env.realm,

+            'CN=CA Subsystem,O=%s' % m_api.env.realm,

+            'CN=CA Audit,O=%s' % m_api.env.realm,

+            'CN=%s,O=%s' % (m_api.env.host, m_api.env.realm),

+            'CN=KRA Transport Certificate,O=%s' % m_api.env.realm,

+            'CN=KRA Storage Certificate,O=%s' % m_api.env.realm,

+            'CN=KRA Audit,O=%s' % m_api.env.realm,

+        )

+

+        for i, subject in enumerate(dogtag_entries_subjects):

+            entry = LDAPEntry(fake_conn,

+                              DN('cn=%i,ou=certificateRepository' % i,

+                                 'ou=ca,o=ipaca'),

+                              userCertificate=[IPACertificate()],

+                              subjectName=[subject])

+            ldap_entries.append(entry)

+

+        mock_certdb.return_value = mock_CertDB(trust)

+

+        framework = object()

+        registry.initialize(framework, config.Config())

+        f = IPADogtagCertsMatchCheck(registry)

+        f.conn = mock_ldap(ldap_entries)

+        self.results = capture_results(f)

+

+        assert len(self.results) == 3

+        for result in self.results.results:

+            assert result.result == constants.SUCCESS

+            assert result.source == 'ipahealthcheck.ipa.certs'

+            assert result.check == 'IPADogtagCertsMatchCheck'

+

+    @patch('ipaserver.install.certs.CertDB')

+    def test_certs_mismatch(self, mock_certdb):

+        """ Ensure mismatches are detected"""

+        fake_conn = LDAPClient('ldap://localhost', no_schema=True)

+        pkidbentry = LDAPEntry(fake_conn,

+                               DN('uid=pkidbuser,ou=people,o=ipaca'),

+                               userCertificate=[IPACertificate(

+                                   serial_number=2

+                               )],

+                               subjectName=['test'])

+        casignentry = LDAPEntry(fake_conn,

+                                DN('cn=%s IPA CA' % m_api.env.realm,

+                                   'cn=certificates,cn=ipa,cn=etc',

+                                    m_api.env.basedn),

+                                CACertificate=[IPACertificate()],

+                                userCertificate=[IPACertificate()],

+                                subjectName=['test'])

+        ldap_entries = [pkidbentry, casignentry]

+        trust = {

+            'ocspSigningCert cert-pki-ca': 'u,u,u',

+            'caSigningCert cert-pki-ca': 'u,u,u',

+            'subsystemCert cert-pki-ca': 'u,u,u',

+            'auditSigningCert cert-pki-ca': 'u,u,Pu',

+            'Server-Cert cert-pki-ca': 'u,u,u',

+            'transportCert cert-pki-kra': 'u,u,u',

+            'storageCert cert-pki-kra': 'u,u,u',

+            'auditSigningCert cert-pki-kra': 'u,u,Pu',

+        }

+

+        dogtag_entries_subjects = (

+            'CN=OCSP Subsystem,O=%s' % m_api.env.realm,

+            'CN=CA Subsystem,O=%s' % m_api.env.realm,

+            'CN=CA Audit,O=%s' % m_api.env.realm,

+            'CN=%s,O=%s' % (m_api.env.host, m_api.env.realm),

+            'CN=KRA Transport Certificate,O=%s' % m_api.env.realm,

+            'CN=KRA Storage Certificate,O=%s' % m_api.env.realm,

+            'CN=KRA Audit,O=%s' % m_api.env.realm,

+        )

+

+        for i, subject in enumerate(dogtag_entries_subjects):

+            entry = LDAPEntry(fake_conn,

+                              DN('cn=%i,ou=certificateRepository' % i,

+                                 'ou=ca,o=ipaca'),

+                              userCertificate=[IPACertificate()],

+                              subjectName=[subject])

+            ldap_entries.append(entry)

+

+        mock_certdb.return_value = mock_CertDB(trust)

+

+        framework = object()

+        registry.initialize(framework, config.Config())

+        f = IPADogtagCertsMatchCheck(registry)

+        f.conn = mock_ldap(ldap_entries)

+        self.results = capture_results(f)

+

+        assert len(self.results) == 3

+        result = self.results.results[0]

+        assert result.result == constants.ERROR

+        assert result.source == 'ipahealthcheck.ipa.certs'

+        assert result.check == 'IPADogtagCertsMatchCheck'

-- 

2.26.3