From e6627a5d7818684bad09ad952aa0415a929b231a Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Mon, 3 Aug 2020 18:53:47 +0200

Subject: [PATCH] ipatests: check KDC cert permissions in CA less install

The KDC certificate file must be stored with 644 permissions.

Add a test checking the file permissions on server + replica.

Related: https://pagure.io/freeipa/issue/8440

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipatests/test_integration/test_caless.py | 9 +++++++++

 1 file changed, 9 insertions(+)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py

index 529611b183e14f7b23910987bb15ee21492d6f27..fc38b807d357c995b2d6fc04c5612109d38b5f1e 100644

--- a/ipatests/test_integration/test_caless.py

+++ b/ipatests/test_integration/test_caless.py

@@ -1564,6 +1564,13 @@ class TestCertInstall(CALessBase):

         assert result.returncode == 0

+def verify_kdc_cert_perms(host):

+    """Verify that the KDC cert pem file has 0644 perms"""

+    cmd = host.run_command(['stat', '-c',

+                           '"%a %G:%U"', paths.KDC_CERT])

+    assert "644 root:root" in cmd.stdout_text

+

+

 class TestPKINIT(CALessBase):

     """Install master and replica with PKINIT"""

     num_replicas = 1

@@ -1577,6 +1584,7 @@ class TestPKINIT(CALessBase):

         result = cls.install_server(pkinit_pkcs12_exists=True,

                                     pkinit_pin=_DEFAULT)

         assert result.returncode == 0

+        verify_kdc_cert_perms(cls.master)

     @replica_install_teardown

     def test_server_replica_install_pkinit(self):

@@ -1586,6 +1594,7 @@ class TestPKINIT(CALessBase):

                                       pkinit_pin=_DEFAULT)

         assert result.returncode == 0

         self.verify_installation()

+        verify_kdc_cert_perms(self.replicas[0])

 class TestServerReplicaCALessToCAFull(CALessBase):

-- 

2.26.2