From 940755e37b06ea95c32abd056277da19fb05ed3e Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Dec 06 2018 10:40:02 +0000

Subject: ipatest: add test for ipa-pkinit-manage enable|disable

Add a test for ipa-pkinit-manage with the following scenario:

- install master with option --no-pkinit

- call ipa-pkinit-manage enable

- call ipa-pkinit-manage disable

- call ipa-pkinit-manage enable

At each step, check that the PKINIT cert is consistent with the

expectations: when pkinit is enabled, the cert is signed by IPA

CA and tracked by 'IPA' ca helper, but when pkinit is disabled,

the cert is self-signed and tracked by 'SelfSign' CA helper.

The new test is added in the nightly definitons.

Related to https://pagure.io/freeipa/issue/7200

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

---

#diff --git a/ipatests/prci_definitions/nightly_f28.yaml b/ipatests/prci_definitions/nightly_f28.yaml

#index ae8cacc..8462c14 100644

#--- a/ipatests/prci_definitions/nightly_f28.yaml

#+++ b/ipatests/prci_definitions/nightly_f28.yaml

#@@ -639,3 +639,15 @@ jobs:

#         template: *ci-master-f28

#         timeout: 16000

#         topology: *ipaserver

#+

#+  fedora-28/test_pkinit_manage:

#+    requires: [fedora-28/build]

#+    priority: 50

#+    job:

#+      class: RunPytest

#+      args:

#+        build_url: '{fedora-28/build_url}'

#+        test_suite: test_integration/test_pkinit_manage.py

#+        template: *ci-master-f28

#+        timeout: 3600

#+        topology: *master_1repl

diff --git a/ipatests/prci_definitions/nightly_master.yaml b/ipatests/prci_definitions/nightly_master.yaml

index 66921b6..3f2b346 100644

--- a/ipatests/prci_definitions/nightly_master.yaml

+++ b/ipatests/prci_definitions/nightly_master.yaml

@@ -639,3 +639,15 @@ jobs:

         template: *ci-master-f29

         timeout: 16000

         topology: *ipaserver

+

+  fedora-29/test_pkinit_manage:

+    requires: [fedora-29/build]

+    priority: 50

+    job:

+      class: RunPytest

+      args:

+        build_url: '{fedora-29/build_url}'

+        test_suite: test_integration/test_pkinit_manage.py

+        template: *ci-master-f29

+        timeout: 3600

+        topology: *master_1repl

diff --git a/ipatests/prci_definitions/nightly_rawhide.yaml b/ipatests/prci_definitions/nightly_rawhide.yaml

index 24c26be..bdc34d2 100644

--- a/ipatests/prci_definitions/nightly_rawhide.yaml

+++ b/ipatests/prci_definitions/nightly_rawhide.yaml

@@ -627,3 +627,15 @@ jobs:

         template: *ci-master-frawhide

         timeout: 7200

         topology: *ipaserver

+

+  fedora-rawhide/test_pkinit_manage:

+    requires: [fedora-rawhide/build]

+    priority: 50

+    job:

+      class: RunPytest

+      args:

+        build_url: '{fedora-rawhide/build_url}'

+        test_suite: test_integration/test_pkinit_manage.py

+        template: *ci-master-frawhide

+        timeout: 3600

+        topology: *master_1repl

diff --git a/ipatests/test_integration/test_pkinit_manage.py b/ipatests/test_integration/test_pkinit_manage.py

new file mode 100644

index 0000000..bc1d9e3

--- /dev/null

+++ b/ipatests/test_integration/test_pkinit_manage.py

@@ -0,0 +1,111 @@

+#

+# Copyright (C) 2018  FreeIPA Contributors see COPYING for license

+#

+

+"""

+Module provides tests for the ipa-pkinit-manage command.

+"""

+

+from __future__ import absolute_import

+

+from ipalib import x509

+from ipaplatform.paths import paths

+from ipapython.dn import DN

+from ipatests.test_integration.base import IntegrationTest

+from ipatests.pytest_ipa.integration import tasks

+

+

+SELFSIGNED_CA_HELPER = 'SelfSign'

+IPA_CA_HELPER = 'IPA'

+PKINIT_STATUS_ENABLED = 'enabled'

+PKINIT_STATUS_DISABLED = 'disabled'

+

+

+def check_pkinit_status(host, status):

+    """Ensures that ipa-pkinit-manage status returns the expected state"""

+    result = host.run_command(['ipa-pkinit-manage', 'status'],

+                              raiseonerr=False)

+    assert result.returncode == 0

+    assert 'PKINIT is {}'.format(status) in result.stdout_text

+

+

+def check_pkinit_tracking(host, ca_helper):

+    """Ensures that the PKINIT cert is tracked by the expected helper"""

+    result = host.run_command(['getcert', 'list', '-f', paths.KDC_CERT],

+                              raiseonerr=False)

+    assert result.returncode == 0

+    # Make sure that only one request exists

+    assert result.stdout_text.count('Request ID') == 1

+    # Make sure that the right CA helper is used to track the cert

+    assert 'CA: {}'.format(ca_helper) in result.stdout_text

+

+

+def check_pkinit_cert_issuer(host, issuer):

+    """Ensures that the PKINIT cert is signed by the expected issuer"""

+    data = host.get_file_contents(paths.KDC_CERT)

+    pkinit_cert = x509.load_pem_x509_certificate(data)

+    # Make sure that the issuer is the expected one

+    assert DN(pkinit_cert.issuer) == DN(issuer)

+

+

+def check_pkinit(host, enabled=True):

+    """Checks that PKINIT is configured as expected

+

+    If enabled:

+    ipa-pkinit-manage status must return 'PKINIT is enabled'

+    the certificate must be tracked by IPA CA helper

+    the certificate must be signed by IPA CA

+    If disabled:

+    ipa-pkinit-manage status must return 'PKINIT is disabled'

+    the certificate must be tracked by SelfSign CA helper

+    the certificate must be self-signed

+    """

+    if enabled:

+        # When pkinit is enabled:

+        # cert is tracked by IPA CA helper

+        # cert is signed by IPA CA

+        check_pkinit_status(host, PKINIT_STATUS_ENABLED)

+        check_pkinit_tracking(host, IPA_CA_HELPER)

+        check_pkinit_cert_issuer(

+            host,

+            'CN=Certificate Authority,O={}'.format(host.domain.realm))

+    else:

+        # When pkinit is disabled

+        # cert is tracked by 'SelfSign' CA helper

+        # cert is self-signed

+        check_pkinit_status(host, PKINIT_STATUS_DISABLED)

+        check_pkinit_tracking(host, SELFSIGNED_CA_HELPER)

+        check_pkinit_cert_issuer(

+            host,

+            'CN={},O={}'.format(host.hostname, host.domain.realm))

+

+

+class TestPkinitManage(IntegrationTest):

+    """Tests the ipa-pkinit-manage command.

+

+    ipa-pkinit-manage can be used to enable, disable or check

+    the status of PKINIT.

+    When pkinit is enabled, the kerberos server is using a certificate

+    signed either externally or by IPA CA. In the latter case, certmonger

+    is tracking the cert with IPA helper.

+    When pkinit is disabled, the kerberos server is using a self-signed

+    certificate that is tracked by certmonger with the SelfSigned helper.

+    """

+

+    @classmethod

+    def install(cls, mh):

+        # Install the master with PKINIT disabled

+        tasks.install_master(cls.master, extra_args=['--no-pkinit'])

+        check_pkinit(cls.master, enabled=False)

+

+    def test_pkinit_enable(self):

+        self.master.run_command(['ipa-pkinit-manage', 'enable'])

+        check_pkinit(self.master, enabled=True)

+

+    def test_pkinit_disable(self):

+        self.master.run_command(['ipa-pkinit-manage', 'disable'])

+        check_pkinit(self.master, enabled=False)

+

+    def test_pkinit_reenable(self):

+        self.master.run_command(['ipa-pkinit-manage', 'enable'])

+        check_pkinit(self.master, enabled=True)

From ffa04a1862be198b9e1a5f6205d1ae0909ac5a4d Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Dec 06 2018 10:40:02 +0000

Subject: PKINIT: fix ipa-pkinit-manage enable|disable

The command ipa-pkinit-manage enable|disable is reporting

success even though the PKINIT cert is not re-issued.

The command triggers the request of a new certificate

(signed by IPA CA when state=enable, selfsigned when disabled),

but as the cert file is still present, certmonger does not create

a new request and the existing certificate is kept.

The fix consists in deleting the cert and key file before calling

certmonger to request a new cert.

There was also an issue in the is_pkinit_enabled() function:

if no tracking request was found for the PKINIT cert,

is_pkinit_enabled() was returning True while it should not.

Fixes https://pagure.io/freeipa/issue/7200

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

---

diff --git a/ipaserver/install/ipa_pkinit_manage.py b/ipaserver/install/ipa_pkinit_manage.py

index 4a79bba..86bd1ba 100644

--- a/ipaserver/install/ipa_pkinit_manage.py

+++ b/ipaserver/install/ipa_pkinit_manage.py

@@ -72,6 +72,8 @@ class PKINITManage(AdminTool):

                 if ca_enabled:

                     logger.warning(

                         "Failed to stop tracking certificates: %s", e)

+            # remove the cert and key

+            krb.delete_pkinit_cert()

             krb.enable_ssl()

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py

index 4ead1c5..850946a 100644

--- a/ipaserver/install/krbinstance.py

+++ b/ipaserver/install/krbinstance.py

@@ -77,7 +77,7 @@ def is_pkinit_enabled():

     if os.path.exists(paths.KDC_CERT):

         pkinit_request_ca = get_pkinit_request_ca()

-        if pkinit_request_ca != "SelfSign":

+        if pkinit_request_ca and pkinit_request_ca != "SelfSign":

             return True

     return False

@@ -602,6 +602,10 @@ class KrbInstance(service.Service):

     def stop_tracking_certs(self):

         certmonger.stop_tracking(certfile=paths.KDC_CERT)

+    def delete_pkinit_cert(self):

+        installutils.remove_file(paths.KDC_CERT)

+        installutils.remove_file(paths.KDC_KEY)

+

     def uninstall(self):

         if self.is_configured():

             self.print_msg("Unconfiguring %s" % self.service_name)

@@ -627,8 +631,7 @@ class KrbInstance(service.Service):

         # stop tracking and remove certificates

         self.stop_tracking_certs()

         installutils.remove_file(paths.CACERT_PEM)

-        installutils.remove_file(paths.KDC_CERT)

-        installutils.remove_file(paths.KDC_KEY)

+        self.delete_pkinit_cert()

         if running:

             self.restart()