From 3e0e8c309c70a0d379b985189c23f1bacd62a96e Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Fri, 30 Nov 2018 15:46:25 +0100

Subject: [PATCH] ipatest: add test for ipa-pkinit-manage enable|disable

Add a test for ipa-pkinit-manage with the following scenario:

- install master with option --no-pkinit

- call ipa-pkinit-manage enable

- call ipa-pkinit-manage disable

- call ipa-pkinit-manage enable

At each step, check that the PKINIT cert is consistent with the

expectations: when pkinit is enabled, the cert is signed by IPA

CA and tracked by 'IPA' ca helper, but when pkinit is disabled,

the cert is self-signed and tracked by 'SelfSign' CA helper.

Related to https://pagure.io/freeipa/issue/7200

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

---

 .../test_integration/test_pkinit_manage.py    | 111 ++++++++++++++++++

 1 file changed, 111 insertions(+)

 create mode 100644 ipatests/test_integration/test_pkinit_manage.py

diff --git a/ipatests/test_integration/test_pkinit_manage.py b/ipatests/test_integration/test_pkinit_manage.py

new file mode 100644

index 0000000000000000000000000000000000000000..bc1d9e338cdf4e7a503b3c83ac12792894eecce2

--- /dev/null

+++ b/ipatests/test_integration/test_pkinit_manage.py

@@ -0,0 +1,111 @@

+#

+# Copyright (C) 2018  FreeIPA Contributors see COPYING for license

+#

+

+"""

+Module provides tests for the ipa-pkinit-manage command.

+"""

+

+from __future__ import absolute_import

+

+from ipalib import x509

+from ipaplatform.paths import paths

+from ipapython.dn import DN

+from ipatests.test_integration.base import IntegrationTest

+from ipatests.pytest_ipa.integration import tasks

+

+

+SELFSIGNED_CA_HELPER = 'SelfSign'

+IPA_CA_HELPER = 'IPA'

+PKINIT_STATUS_ENABLED = 'enabled'

+PKINIT_STATUS_DISABLED = 'disabled'

+

+

+def check_pkinit_status(host, status):

+    """Ensures that ipa-pkinit-manage status returns the expected state"""

+    result = host.run_command(['ipa-pkinit-manage', 'status'],

+                              raiseonerr=False)

+    assert result.returncode == 0

+    assert 'PKINIT is {}'.format(status) in result.stdout_text

+

+

+def check_pkinit_tracking(host, ca_helper):

+    """Ensures that the PKINIT cert is tracked by the expected helper"""

+    result = host.run_command(['getcert', 'list', '-f', paths.KDC_CERT],

+                              raiseonerr=False)

+    assert result.returncode == 0

+    # Make sure that only one request exists

+    assert result.stdout_text.count('Request ID') == 1

+    # Make sure that the right CA helper is used to track the cert

+    assert 'CA: {}'.format(ca_helper) in result.stdout_text

+

+

+def check_pkinit_cert_issuer(host, issuer):

+    """Ensures that the PKINIT cert is signed by the expected issuer"""

+    data = host.get_file_contents(paths.KDC_CERT)

+    pkinit_cert = x509.load_pem_x509_certificate(data)

+    # Make sure that the issuer is the expected one

+    assert DN(pkinit_cert.issuer) == DN(issuer)

+

+

+def check_pkinit(host, enabled=True):

+    """Checks that PKINIT is configured as expected

+

+    If enabled:

+    ipa-pkinit-manage status must return 'PKINIT is enabled'

+    the certificate must be tracked by IPA CA helper

+    the certificate must be signed by IPA CA

+    If disabled:

+    ipa-pkinit-manage status must return 'PKINIT is disabled'

+    the certificate must be tracked by SelfSign CA helper

+    the certificate must be self-signed

+    """

+    if enabled:

+        # When pkinit is enabled:

+        # cert is tracked by IPA CA helper

+        # cert is signed by IPA CA

+        check_pkinit_status(host, PKINIT_STATUS_ENABLED)

+        check_pkinit_tracking(host, IPA_CA_HELPER)

+        check_pkinit_cert_issuer(

+            host,

+            'CN=Certificate Authority,O={}'.format(host.domain.realm))

+    else:

+        # When pkinit is disabled

+        # cert is tracked by 'SelfSign' CA helper

+        # cert is self-signed

+        check_pkinit_status(host, PKINIT_STATUS_DISABLED)

+        check_pkinit_tracking(host, SELFSIGNED_CA_HELPER)

+        check_pkinit_cert_issuer(

+            host,

+            'CN={},O={}'.format(host.hostname, host.domain.realm))

+

+

+class TestPkinitManage(IntegrationTest):

+    """Tests the ipa-pkinit-manage command.

+

+    ipa-pkinit-manage can be used to enable, disable or check

+    the status of PKINIT.

+    When pkinit is enabled, the kerberos server is using a certificate

+    signed either externally or by IPA CA. In the latter case, certmonger

+    is tracking the cert with IPA helper.

+    When pkinit is disabled, the kerberos server is using a self-signed

+    certificate that is tracked by certmonger with the SelfSigned helper.

+    """

+

+    @classmethod

+    def install(cls, mh):

+        # Install the master with PKINIT disabled

+        tasks.install_master(cls.master, extra_args=['--no-pkinit'])

+        check_pkinit(cls.master, enabled=False)

+

+    def test_pkinit_enable(self):

+        self.master.run_command(['ipa-pkinit-manage', 'enable'])

+        check_pkinit(self.master, enabled=True)

+

+    def test_pkinit_disable(self):

+        self.master.run_command(['ipa-pkinit-manage', 'disable'])

+        check_pkinit(self.master, enabled=False)

+

+    def test_pkinit_reenable(self):

+        self.master.run_command(['ipa-pkinit-manage', 'enable'])

+        check_pkinit(self.master, enabled=True)

-- 

2.17.2