diff options
-rw-r--r-- | Makefile | 1 | ||||
-rw-r--r-- | ipalib/plugins/host.py | 7 | ||||
-rw-r--r-- | ipalib/plugins/service.py | 27 | ||||
-rwxr-xr-x | make-testcert | 135 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_host_plugin.py | 41 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_service_plugin.py | 48 | ||||
-rw-r--r-- | tests/test_xmlrpc/xmlrpc_test.py | 6 |
7 files changed, 228 insertions, 37 deletions
@@ -82,6 +82,7 @@ lint: test: $(MAKE) -C install/po test_lang + ./make-testcert ./make-test release-update: diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 29f659f9c..5d6a23f42 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -85,6 +85,7 @@ from ipalib.plugins.service import normalize_certificate from ipalib.plugins.service import set_certificate_attrs from ipalib.plugins.service import make_pem, check_writable_file from ipalib.plugins.service import write_certificate +from ipalib.plugins.service import verify_cert_subject from ipalib.plugins.dns import dns_container_exists, _record_types from ipalib.plugins.dns import add_forward_record from ipalib import _, ngettext @@ -400,6 +401,11 @@ class host_add(LDAPCreate): # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) del entry_attrs['random'] + cert = options.get('usercertificate') + if cert: + cert = normalize_certificate(cert) + verify_cert_subject(ldap, keys[-1], cert) + entry_attrs['usercertificate'] = cert entry_attrs['managedby'] = dn return dn @@ -600,6 +606,7 @@ class host_mod(LDAPUpdate): entry_attrs['objectclass'] = obj_classes cert = normalize_certificate(entry_attrs.get('usercertificate')) if cert: + verify_cert_subject(ldap, keys[-1], cert) (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate']) if 'usercertificate' in entry_attrs_old: oldcert = normalize_certificate(entry_attrs_old.get('usercertificate')[0]) diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 2f47e065d..85956272b 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -206,6 +206,25 @@ def normalize_certificate(cert): return cert +def verify_cert_subject(ldap, hostname, cert): + """ + Verify that the certificate issuer we're adding matches the issuer + base of our installation. + + This assumes the certificate has already been normalized. + + This raises an exception on errors and returns nothing otherwise. + """ + cert = x509.load_certificate(cert, datatype=x509.DER) + subject = str(cert.subject) + issuer = str(cert.issuer) + + # Handle both supported forms of issuer, from selfsign and dogtag. + if ((issuer != 'CN=%s Certificate Authority' % api.env.realm) and + (issuer != 'CN=Certificate Authority,O=%s' % api.env.realm)): + raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \ + {'issuer' : issuer}) + def set_certificate_attrs(entry_attrs): """ Set individual attributes from some values from a certificate. @@ -342,7 +361,9 @@ class service_add(LDAPCreate): cert = options.get('usercertificate') if cert: - entry_attrs['usercertificate'] = normalize_certificate(cert) + cert = normalize_certificate(cert) + verify_cert_subject(ldap, hostname, cert) + entry_attrs['usercertificate'] = cert if not options.get('force', False): # We know the host exists if we've gotten this far but we @@ -406,9 +427,11 @@ class service_mod(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): if 'usercertificate' in options: + (service, hostname, realm) = split_principal(keys[-1]) cert = options.get('usercertificate') - cert = normalize_certificate(cert) if cert: + cert = normalize_certificate(cert) + verify_cert_subject(ldap, hostname, cert) (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate']) if 'usercertificate' in entry_attrs_old: # FIXME: what to do here? do we revoke the old cert? diff --git a/make-testcert b/make-testcert new file mode 100755 index 000000000..e0c3db649 --- /dev/null +++ b/make-testcert @@ -0,0 +1,135 @@ +#!/usr/bin/python +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +""" +Generate a custom certificate used in the service unit tests. The certificate +will be created in tests/test_xmlrpc/service.crt +""" +import sys +import os +import tempfile +import shutil +import nss.nss as nss +from ipalib import api, x509, backend, errors +from ipaserver.plugins import rabase +from ipapython import ipautil + +CERTPATH = 'tests/test_xmlrpc/service.crt' + +def run_certutil(reqdir, args, stdin=None): + """ + Run an NSS certutil command + """ + new_args = ["/usr/bin/certutil", "-d", reqdir] + new_args = new_args + args + return ipautil.run(new_args, stdin) + +def generateCSR(reqdir, pwname, subject): + """ + Create a CSR for the given subject. + """ + run_certutil(reqdir, ["-R", "-s", subject, + "-o", '%s/req' % reqdir, + "-z", "/etc/group", + "-f", pwname, + "-a", + ]) + fp = open('%s/req' % reqdir, "r") + data = fp.read() + fp.close() + return data + +class client(backend.Executioner): + """ + A simple-minded IPA client that can execute remote commands. + """ + + def run(self, method, *args, **options): + self.create_context() + result = self.execute(method, *args, **options) + return result + + +def makecert(reqdir): + """ + Generate a service certificate that can be used during unit testing. + """ + cfg = dict( + context='cli', + in_server=False, + debug=False, + verbose=0, + ) + + api.bootstrap(**cfg) + api.register(client) + api.finalize() + + # This needs to be imported after the API is initialized + from ipalib.plugins.service import make_pem + + ra = rabase.rabase() + if not os.path.exists(ra.sec_dir) and api.env.xmlrpc_uri == 'http://localhost:8888/ipa/xml': + sys.exit('The in-tree self-signed CA is not configured, see tests/test_xmlrpc/test_cert.py') + + pwname = reqdir + "/pwd" + + # Create an empty password file + fp = open(pwname, "w") + fp.write("\n") + fp.close() + + # Generate NSS cert database to store the private key for our CSR + run_certutil(reqdir, ["-N", "-f", pwname]) + + cert = None + subject = 'CN=%s,O=%s' % (api.env.host, api.env.realm) + princ = 'unittest/%s@%s' % (api.env.host, api.env.realm) + csr = unicode(generateCSR(reqdir, pwname, subject)) + + try: + res = api.Backend.client.run('cert_request', csr, principal=princ, + add=True) + cert = make_pem(res['result']['certificate']) + fd = open(CERTPATH, 'w') + fd.write(cert) + fd.close() + except errors.NotFound: + return "certificate request failed" + except errors.CommandError: + return "You need to set enable_ra=True in ~/.ipa/default.conf" + + nss.nss_init_nodb() + c = x509.load_certificate(cert, x509.PEM) + print c + + return 0 + +reqdir = None + +if os.path.exists(CERTPATH): + print "Test certificate %s exists, skipping." % CERTPATH + sys.exit(0) +try: + reqdir = tempfile.mkdtemp(prefix = "tmp-") + sys.exit(makecert(reqdir)) +finally: + shutil.rmtree(reqdir) diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py index ff87bc248..f4e020ed7 100644 --- a/tests/test_xmlrpc/test_host_plugin.py +++ b/tests/test_xmlrpc/test_host_plugin.py @@ -22,8 +22,9 @@ Test the `ipalib.plugins.host` module. """ -from ipalib import api, errors -from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid +from ipalib import api, errors, x509 +from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_digits +from tests.test_xmlrpc.xmlrpc_test import fuzzy_hash, fuzzy_date from tests.test_xmlrpc import objectclasses import base64 @@ -39,8 +40,12 @@ fqdn3 = u'testhost2.%s' % api.env.domain short3 = u'testhost2' dn3 = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn3, api.env.basedn) -servercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv' - +# We can use the same cert we generated for the service tests +fd = open('tests/test_xmlrpc/service.crt', 'r') +servercert = fd.readlines() +servercert = ''.join(servercert) +servercert = x509.strip_header(servercert) +fd.close() class test_host(Declarative): @@ -225,13 +230,13 @@ class test_host(Declarative): krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[u'%s' % fqdn1], usercertificate=[base64.b64decode(servercert)], - valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC', - valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC', - subject=u'CN=puma.greyoak.com,O=IPA', - serial_number=u'1022', - md5_fingerprint=u'ef:63:31:e4:33:54:8d:fd:fe:c8:66:57:09:03:5f:09', - sha1_fingerprint=u'e3:33:2c:d9:7c:e9:77:74:2a:ac:3b:b8:76:b0:86:29:98:43:58:11', - issuer=u'CN=IPA Test Certificate Authority', + valid_not_before=fuzzy_date, + valid_not_after=fuzzy_date, + subject=u'CN=%s,O=%s' % (api.env.host, api.env.realm), + serial_number=fuzzy_digits, + md5_fingerprint=fuzzy_hash, + sha1_fingerprint=fuzzy_hash, + issuer=u'CN=%s Certificate Authority' % api.env.realm, ), ), ), @@ -252,13 +257,13 @@ class test_host(Declarative): has_keytab=False, managedby_host=[u'%s' % fqdn1], usercertificate=[base64.b64decode(servercert)], - valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC', - valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC', - subject=u'CN=puma.greyoak.com,O=IPA', - serial_number=u'1022', - md5_fingerprint=u'ef:63:31:e4:33:54:8d:fd:fe:c8:66:57:09:03:5f:09', - sha1_fingerprint=u'e3:33:2c:d9:7c:e9:77:74:2a:ac:3b:b8:76:b0:86:29:98:43:58:11', - issuer=u'CN=IPA Test Certificate Authority', + valid_not_before=fuzzy_date, + valid_not_after=fuzzy_date, + subject=u'CN=%s,O=%s' % (api.env.host, api.env.realm), + serial_number=fuzzy_digits, + md5_fingerprint=fuzzy_hash, + sha1_fingerprint=fuzzy_hash, + issuer=u'CN=%s Certificate Authority' % api.env.realm, ), ), ), diff --git a/tests/test_xmlrpc/test_service_plugin.py b/tests/test_xmlrpc/test_service_plugin.py index 7c13eb46b..be58b3511 100644 --- a/tests/test_xmlrpc/test_service_plugin.py +++ b/tests/test_xmlrpc/test_service_plugin.py @@ -21,8 +21,9 @@ Test the `ipalib/plugins/service.py` module. """ -from ipalib import api, errors -from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid +from ipalib import api, errors, x509 +from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash +from tests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date from tests.test_xmlrpc import objectclasses import base64 @@ -37,7 +38,13 @@ host1dn = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn1, api.env.basedn) host2dn = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn2, api.env.basedn) host3dn = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn3.lower(), api.env.basedn) -servercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv' +fd = open('tests/test_xmlrpc/service.crt', 'r') +servercert = fd.readlines() +servercert = ''.join(servercert) +servercert = x509.strip_header(servercert) +fd.close() + +badservercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv' class test_host(Declarative): @@ -346,6 +353,13 @@ class test_host(Declarative): dict( + desc='Update %r with a bad certificate' % service1, + command=('service_mod', [service1], dict(usercertificate=badservercert)), + expected=errors.CertificateOperationError(error='exact error msg not needed'), + ), + + + dict( desc='Update %r' % service1, command=('service_mod', [service1], dict(usercertificate=servercert)), expected=dict( @@ -355,13 +369,13 @@ class test_host(Declarative): usercertificate=[base64.b64decode(servercert)], krbprincipalname=[service1], managedby_host=[fqdn1], - valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC', - valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC', - subject=u'CN=puma.greyoak.com,O=IPA', - serial_number=u'1022', - md5_fingerprint=u'ef:63:31:e4:33:54:8d:fd:fe:c8:66:57:09:03:5f:09', - sha1_fingerprint=u'e3:33:2c:d9:7c:e9:77:74:2a:ac:3b:b8:76:b0:86:29:98:43:58:11', - issuer=u'CN=IPA Test Certificate Authority', + valid_not_before=fuzzy_date, + valid_not_after=fuzzy_date, + subject=u'CN=%s,O=%s' % (api.env.host, api.env.realm), + serial_number=fuzzy_digits, + md5_fingerprint=fuzzy_hash, + sha1_fingerprint=fuzzy_hash, + issuer=u'CN=%s Certificate Authority' % api.env.realm, ), ), ), @@ -381,13 +395,13 @@ class test_host(Declarative): managedby_host=[fqdn1], # These values come from the servercert that is in this # test case. - valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC', - valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC', - subject=u'CN=puma.greyoak.com,O=IPA', - serial_number=u'1022', - md5_fingerprint=u'ef:63:31:e4:33:54:8d:fd:fe:c8:66:57:09:03:5f:09', - sha1_fingerprint=u'e3:33:2c:d9:7c:e9:77:74:2a:ac:3b:b8:76:b0:86:29:98:43:58:11', - issuer=u'CN=IPA Test Certificate Authority', + valid_not_before=fuzzy_date, + valid_not_after=fuzzy_date, + subject=u'CN=%s,O=%s' % (api.env.host, api.env.realm), + serial_number=fuzzy_digits, + md5_fingerprint=fuzzy_hash, + sha1_fingerprint=fuzzy_hash, + issuer=u'CN=%s Certificate Authority' % api.env.realm, ), ), ), diff --git a/tests/test_xmlrpc/xmlrpc_test.py b/tests/test_xmlrpc/xmlrpc_test.py index 7543fdeee..7b6a74177 100644 --- a/tests/test_xmlrpc/xmlrpc_test.py +++ b/tests/test_xmlrpc/xmlrpc_test.py @@ -44,6 +44,12 @@ fuzzy_netgroupdn = Fuzzy( 'ipauniqueid=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12},cn=ng,cn=alt,%s' % api.env.basedn ) +# Matches a hash signature, not enforcing length +fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=basestring) + +# Matches a date, like Tue Apr 26 17:45:35 2016 UTC +fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$') + try: if not api.Backend.xmlclient.isconnected(): api.Backend.xmlclient.connect(fallback=False) |