|
 |
7e1b55 |
From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001
|
|
|
7e1b55 |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
7e1b55 |
Date: Fri, 10 Sep 2021 09:01:48 -0400
|
|
|
7e1b55 |
Subject: [PATCH] ipatests: Test that a user can be issued multiple
|
|
|
7e1b55 |
certificates
|
|
|
7e1b55 |
|
|
|
7e1b55 |
Prevent regressions in the LDAP cache layer that caused newly
|
|
|
7e1b55 |
issued certificates to overwrite existing ones.
|
|
|
7e1b55 |
|
|
|
7e1b55 |
https://pagure.io/freeipa/issue/8986
|
|
|
7e1b55 |
|
|
|
7e1b55 |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
7e1b55 |
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
|
7e1b55 |
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
7e1b55 |
---
|
|
|
7e1b55 |
ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++
|
|
|
7e1b55 |
1 file changed, 29 insertions(+)
|
|
|
7e1b55 |
|
|
|
7e1b55 |
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
|
|
|
7e1b55 |
index 7d51b76ee347237450b7484cf48c2e6a1bed7f7d..b4e85eadcf41212fdd16f0f3aa130a916b5019fa 100644
|
|
|
7e1b55 |
--- a/ipatests/test_integration/test_cert.py
|
|
|
7e1b55 |
+++ b/ipatests/test_integration/test_cert.py
|
|
|
7e1b55 |
@@ -16,6 +16,7 @@ import string
|
|
|
7e1b55 |
import time
|
|
|
7e1b55 |
|
|
|
7e1b55 |
from ipaplatform.paths import paths
|
|
|
7e1b55 |
+from ipapython.dn import DN
|
|
|
7e1b55 |
from cryptography import x509
|
|
|
7e1b55 |
from cryptography.x509.oid import ExtensionOID
|
|
|
7e1b55 |
from cryptography.hazmat.backends import default_backend
|
|
|
7e1b55 |
@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest):
|
|
|
7e1b55 |
)
|
|
|
7e1b55 |
assert "profile: caServerCert" in result.stdout_text
|
|
|
7e1b55 |
|
|
|
7e1b55 |
+ def test_multiple_user_certificates(self):
|
|
|
7e1b55 |
+ """Test that a user may be issued multiple certificates"""
|
|
|
7e1b55 |
+ ldap = self.master.ldap_connect()
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ user = 'user1'
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ tasks.kinit_admin(self.master)
|
|
|
7e1b55 |
+ tasks.user_add(self.master, user)
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ for id in (0,1):
|
|
|
7e1b55 |
+ csr_file = f'{id}.csr'
|
|
|
7e1b55 |
+ key_file = f'{id}.key'
|
|
|
7e1b55 |
+ cert_file = f'{id}.crt'
|
|
|
7e1b55 |
+ openssl_cmd = [
|
|
|
7e1b55 |
+ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,
|
|
|
7e1b55 |
+ '-nodes', '-out', csr_file, '-subj', '/CN=' + user]
|
|
|
7e1b55 |
+ self.master.run_command(openssl_cmd)
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ cmd_args = ['ipa', 'cert-request', '--principal', user,
|
|
|
7e1b55 |
+ '--certificate-out', cert_file, csr_file]
|
|
|
7e1b55 |
+ self.master.run_command(cmd_args)
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ # easier to count by pulling the LDAP entry
|
|
|
7e1b55 |
+ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),
|
|
|
7e1b55 |
+ ('cn', 'accounts'), self.master.domain.basedn))
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ assert len(entry.get('usercertificate')) == 2
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
@pytest.fixture
|
|
|
7e1b55 |
def test_subca_certs(self):
|
|
|
7e1b55 |
"""
|
|
|
7e1b55 |
--
|
|
|
7e1b55 |
2.31.1
|
|
|
7e1b55 |
|