Require an imported certificate's issuer to match our issuer.

The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
author: Rob Crittenden <rcritten@redhat.com> 2011-04-26 16:45:19 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2011-06-16 19:27:17 -0400
commit: a2a3782efb386f18689faf35a069c4da1085e87d (patch)
tree: b8c4b2bf7c13307eccf3be5f962a680ae97e122b /tests
parent: ed7a3e005a052845b7302744c0f6c16f7cdfd511 (diff)
download: freeipa-a2a3782efb386f18689faf35a069c4da1085e87d.tar.gz
freeipa-a2a3782efb386f18689faf35a069c4da1085e87d.tar.xz
freeipa-a2a3782efb386f18689faf35a069c4da1085e87d.zip
3 files changed, 60 insertions, 35 deletions
diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py
index ff87bc248..f4e020ed7 100644
--- a/tests/test_xmlrpc/test_host_plugin.py
+++ b/tests/test_xmlrpc/test_host_plugin.py
@@ -22,8 +22,9 @@
 Test the `ipalib.plugins.host` module.
 """
 
-from ipalib import api, errors
-from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid
+from ipalib import api, errors, x509
+from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_digits
+from tests.test_xmlrpc.xmlrpc_test import fuzzy_hash, fuzzy_date
 from tests.test_xmlrpc import objectclasses
 import base64
 
@@ -39,8 +40,12 @@ fqdn3 = u'testhost2.%s' % api.env.domain
 short3 = u'testhost2'
 dn3 = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn3, api.env.basedn)
 
-servercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv'
-
+# We can use the same cert we generated for the service tests
+fd = open('tests/test_xmlrpc/service.crt', 'r')
+servercert = fd.readlines()
+servercert = ''.join(servercert)
+servercert = x509.strip_header(servercert)
+fd.close()
 
 class test_host(Declarative):
 
@@ -225,13 +230,13 @@ class test_host(Declarative):
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[u'%s' % fqdn1],
                     usercertificate=[base64.b64decode(servercert)],
-                    valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
-                    valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
-                    subject=u'CN=puma.greyoak.com,O=IPA',
-                    serial_number=u'1022',
-                    md5_fingerprint=u'ef:63:31:e4:33:54:8d:fd:fe:c8:66:57:09:03:5f:09',
-                    sha1_fingerprint=u'e3:33:2c:d9:7c:e9:77:74:2a:ac:3b:b8:76:b0:86:29:98:43:58:11',
-                    issuer=u'CN=IPA Test Certificate Authority',
+                    valid_not_before=fuzzy_date,
+                    valid_not_after=fuzzy_date,
+                    subject=u'CN=%s,O=%s' % (api.env.host, api.env.realm),
+                    serial_number=fuzzy_digits,
+                    md5_fingerprint=fuzzy_hash,
+                    sha1_fingerprint=fuzzy_hash,
+                    issuer=u'CN=%s Certificate Authority' % api.env.realm,
                 ),
             ),
         ),
@@ -252,13 +257,13 @@ class test_host(Declarative):
                     has_keytab=False,
                     managedby_host=[u'%s' % fqdn1],
                     usercertificate=[base64.b64decode(servercert)],
-                    valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
-                    valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
-                    subject=u'CN=puma.greyoak.com,O=IPA',
-                    serial_number=u'1022',
-                    md5_fingerprint=u'ef:63:31:e4:33:54:8d:fd:fe:c8:66:57:09:03:5f:09',
-                    sha1_fingerprint=u'e3:33:2c:d9:7c:e9:77:74:2a:ac:3b:b8:76:b0:86:29:98:43:58:11',
-                    issuer=u'CN=IPA Test Certificate Authority',
+                    valid_not_before=fuzzy_date,
+                    valid_not_after=fuzzy_date,
+                    subject=u'CN=%s,O=%s' % (api.env.host, api.env.realm),
+                    serial_number=fuzzy_digits,
+                    md5_fingerprint=fuzzy_hash,
+                    sha1_fingerprint=fuzzy_hash,
+                    issuer=u'CN=%s Certificate Authority' % api.env.realm,
                 ),
             ),
         ),
diff --git a/tests/test_xmlrpc/test_service_plugin.py b/tests/test_xmlrpc/test_service_plugin.py
index 7c13eb46b..be58b3511 100644
--- a/tests/test_xmlrpc/test_service_plugin.py
+++ b/tests/test_xmlrpc/test_service_plugin.py
@@ -21,8 +21,9 @@
 Test the `ipalib/plugins/service.py` module.
 """
 
-from ipalib import api, errors
-from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid
+from ipalib import api, errors, x509
+from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
+from tests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date
 from tests.test_xmlrpc import objectclasses
 import base64
 
@@ -37,7 +38,13 @@ host1dn = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn1, api.env.basedn)
 host2dn = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn2, api.env.basedn)
 host3dn = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn3.lower(), api.env.basedn)
 
-servercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv'
+fd = open('tests/test_xmlrpc/service.crt', 'r')
+servercert = fd.readlines()
+servercert = ''.join(servercert)
+servercert = x509.strip_header(servercert)
+fd.close()
+
+badservercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv'
 
 
 class test_host(Declarative):
@@ -346,6 +353,13 @@ class test_host(Declarative):
 
 
         dict(
+            desc='Update %r with a bad certificate' % service1,
+            command=('service_mod', [service1], dict(usercertificate=badservercert)),
+            expected=errors.CertificateOperationError(error='exact error msg not needed'),
+        ),
+
+
+        dict(
             desc='Update %r' % service1,
             command=('service_mod', [service1], dict(usercertificate=servercert)),
             expected=dict(
@@ -355,13 +369,13 @@ class test_host(Declarative):
                     usercertificate=[base64.b64decode(servercert)],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
-                    valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
-                    valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
-                    subject=u'CN=puma.greyoak.com,O=IPA',
-                    serial_number=u'1022',
-                    md5_fingerprint=u'ef:63:31:e4:33:54:8d:fd:fe:c8:66:57:09:03:5f:09',
-                    sha1_fingerprint=u'e3:33:2c:d9:7c:e9:77:74:2a:ac:3b:b8:76:b0:86:29:98:43:58:11',
-                    issuer=u'CN=IPA Test Certificate Authority',
+                    valid_not_before=fuzzy_date,
+                    valid_not_after=fuzzy_date,
+                    subject=u'CN=%s,O=%s' % (api.env.host, api.env.realm),
+                    serial_number=fuzzy_digits,
+                    md5_fingerprint=fuzzy_hash,
+                    sha1_fingerprint=fuzzy_hash,
+                    issuer=u'CN=%s Certificate Authority' % api.env.realm,
                 ),
             ),
         ),
@@ -381,13 +395,13 @@ class test_host(Declarative):
                     managedby_host=[fqdn1],
                     # These values come from the servercert that is in this
                     # test case.
-                    valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
-                    valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
-                    subject=u'CN=puma.greyoak.com,O=IPA',
-                    serial_number=u'1022',
-                    md5_fingerprint=u'ef:63:31:e4:33:54:8d:fd:fe:c8:66:57:09:03:5f:09',
-                    sha1_fingerprint=u'e3:33:2c:d9:7c:e9:77:74:2a:ac:3b:b8:76:b0:86:29:98:43:58:11',
-                    issuer=u'CN=IPA Test Certificate Authority',
+                    valid_not_before=fuzzy_date,
+                    valid_not_after=fuzzy_date,
+                    subject=u'CN=%s,O=%s' % (api.env.host, api.env.realm),
+                    serial_number=fuzzy_digits,
+                    md5_fingerprint=fuzzy_hash,
+                    sha1_fingerprint=fuzzy_hash,
+                    issuer=u'CN=%s Certificate Authority' % api.env.realm,
                 ),
             ),
         ),
diff --git a/tests/test_xmlrpc/xmlrpc_test.py b/tests/test_xmlrpc/xmlrpc_test.py
index 7543fdeee..7b6a74177 100644
--- a/tests/test_xmlrpc/xmlrpc_test.py
+++ b/tests/test_xmlrpc/xmlrpc_test.py
@@ -44,6 +44,12 @@ fuzzy_netgroupdn = Fuzzy(
     'ipauniqueid=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12},cn=ng,cn=alt,%s' % api.env.basedn
 )
 
+# Matches a hash signature, not enforcing length
+fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=basestring)
+
+# Matches a date, like Tue Apr 26 17:45:35 2016 UTC
+fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$')
+
 try:
     if not api.Backend.xmlclient.isconnected():
         api.Backend.xmlclient.connect(fallback=False)
author	Rob Crittenden <rcritten@redhat.com>	2011-04-26 16:45:19 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2011-06-16 19:27:17 -0400
commit	a2a3782efb386f18689faf35a069c4da1085e87d (patch)
tree	b8c4b2bf7c13307eccf3be5f962a680ae97e122b /tests
parent	ed7a3e005a052845b7302744c0f6c16f7cdfd511 (diff)
download	freeipa-a2a3782efb386f18689faf35a069c4da1085e87d.tar.gz freeipa-a2a3782efb386f18689faf35a069c4da1085e87d.tar.xz freeipa-a2a3782efb386f18689faf35a069c4da1085e87d.zip