diff options
Diffstat (limited to 'tests/test_xmlrpc/test_cert_plugin.py')
-rw-r--r-- | tests/test_xmlrpc/test_cert_plugin.py | 454 |
1 files changed, 0 insertions, 454 deletions
diff --git a/tests/test_xmlrpc/test_cert_plugin.py b/tests/test_xmlrpc/test_cert_plugin.py deleted file mode 100644 index 508e9141a..000000000 --- a/tests/test_xmlrpc/test_cert_plugin.py +++ /dev/null @@ -1,454 +0,0 @@ -# Authors: -# Rob Crittenden <rcritten@redhat.com> -# -# Copyright (C) 2009,2013 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -""" -Test the `ipalib/plugins/cert.py` module against a RA. -""" - -import sys -import os -import shutil -from nose.tools import raises, assert_raises # pylint: disable=E0611 - -from xmlrpc_test import XMLRPC_test, assert_attr_equal -from ipalib import api -from ipalib import errors -from ipalib import x509 -import tempfile -from ipapython import ipautil -import nose -import base64 -from ipapython.dn import DN - -# So we can save the cert from issuance and compare it later -cert = None -newcert = None - -def is_db_configured(): - """ - Raise an exception if we are testing against lite-server and the - developer cert database is configured. - """ - aliasdir = api.env.dot_ipa + os.sep + 'alias' + os.sep + '.pwd' - - if (api.env.xmlrpc_uri == u'http://localhost:8888/ipa/xml' and - not ipautil.file_exists(aliasdir)): - raise nose.SkipTest('developer CA not configured in %s' % aliasdir) - -# Test setup -# -# This test needs a configured CA behind it in order to work properly -# -# To test against Apache directly then no changes are required. Just be -# sure the xmlrpc_uri in ~/.ipa/default.conf points to Apache. -# -# To test against Dogtag CA in the lite-server: -# -# - Copy the 3 NSS db files from /etc/httpd/alias to ~/.ipa/alias -# - Copy /etc/httpd/alias/pwdfile.txt to ~/.ipa/alias/.pwd. -# - Change ownership of these files to be readable by you. -# -# The API tested depends on the value of ~/.ipa/default/ra_plugin when -# running as the lite-server. - -class test_cert(XMLRPC_test): - - @classmethod - def setUpClass(cls): - super(test_cert, cls).setUpClass() - - if 'cert_request' not in api.Command: - raise nose.SkipTest('cert_request not registered') - - is_db_configured() - - def run_certutil(self, args, stdin=None): - new_args = ["/usr/bin/certutil", "-d", self.reqdir] - new_args = new_args + args - return ipautil.run(new_args, stdin) - - def setUp(self): - super(test_cert, self).setUp() - self.reqdir = tempfile.mkdtemp(prefix = "tmp-") - self.reqfile = self.reqdir + "/test.csr" - self.pwname = self.reqdir + "/pwd" - - # Create an empty password file - fp = open(self.pwname, "w") - fp.write("\n") - fp.close() - - # Create our temporary NSS database - self.run_certutil(["-N", "-f", self.pwname]) - - self.subject = DN(('CN', self.host_fqdn), x509.subject_base()) - - def tearDown(self): - super(test_cert, self).tearDown() - shutil.rmtree(self.reqdir, ignore_errors=True) - - def generateCSR(self, subject): - self.run_certutil(["-R", "-s", subject, - "-o", self.reqfile, - "-z", "/etc/group", - "-f", self.pwname, - "-a", - ]) - fp = open(self.reqfile, "r") - data = fp.read() - fp.close() - return data - - """ - Test the `cert` plugin. - """ - host_fqdn = u'ipatestcert.%s' % api.env.domain - service_princ = u'test/%s@%s' % (host_fqdn, api.env.realm) - - def test_0001_cert_add(self): - """ - Test the `xmlrpc.cert_request` method without --add. - - This should fail because the service principal doesn't exist - """ - # First create the host that will use this policy - res = api.Command['host_add'](self.host_fqdn, force= True)['result'] - - csr = unicode(self.generateCSR(str(self.subject))) - with assert_raises(errors.NotFound): - res = api.Command['cert_request'](csr, principal=self.service_princ) - - def test_0002_cert_add(self): - """ - Test the `xmlrpc.cert_request` method with --add. - """ - # Our host should exist from previous test - global cert - - csr = unicode(self.generateCSR(str(self.subject))) - res = api.Command['cert_request'](csr, principal=self.service_princ, add=True)['result'] - assert DN(res['subject']) == self.subject - # save the cert for the service_show/find tests - cert = res['certificate'] - - def test_0003_service_show(self): - """ - Verify that service-show has the right certificate using service-show. - """ - global cert - - res = api.Command['service_show'](self.service_princ)['result'] - assert base64.b64encode(res['usercertificate'][0]) == cert - - def test_0004_service_find(self): - """ - Verify that service-find has the right certificate using service-find. - """ - global cert - - # Assume there is only one service - res = api.Command['service_find'](self.service_princ)['result'] - assert base64.b64encode(res[0]['usercertificate'][0]) == cert - - def test_0005_cert_renew(self): - """ - Issue a new certificate for a service - """ - global newcert - - csr = unicode(self.generateCSR(str(self.subject))) - res = api.Command['cert_request'](csr, principal=self.service_princ)['result'] - assert DN(res['subject']) == self.subject - # save the cert for the service_show/find tests - newcert = res['certificate'] - - def test_0006_service_show(self): - """ - Verify the new certificate with service-show. - """ - global cert, newcert - - res = api.Command['service_show'](self.service_princ)['result'] - # It should no longer match our old cert - assert base64.b64encode(res['usercertificate'][0]) != cert - # And it should match the new one - assert base64.b64encode(res['usercertificate'][0]) == newcert - - def test_0007_cleanup(self): - """ - Clean up cert test data - """ - # Now clean things up - api.Command['host_del'](self.host_fqdn) - - # Verify that the service is gone - res = api.Command['service_find'](self.service_princ) - assert res['count'] == 0 - -class test_cert_find(XMLRPC_test): - - @classmethod - def setUpClass(cls): - super(test_cert_find, cls).setUpClass() - - if 'cert_find' not in api.Command: - raise nose.SkipTest('cert_find not registered') - - if api.env.ra_plugin != 'dogtag': - raise nose.SkipTest('cert_find for dogtag CA only') - - is_db_configured() - - """ - Test the `cert-find` command. - """ - short = api.env.host.replace('.' + api.env.domain, '') - - def test_0001_find_all(self): - """ - Search for all certificates. - - We don't know how many we'll get but there should be at least 10 - by default. - """ - res = api.Command['cert_find']() - assert 'count' in res and res['count'] >= 10 - - def test_0002_find_CA(self): - """ - Search for the CA certificate. - """ - res = api.Command['cert_find'](subject=u'Certificate Authority') - assert 'count' in res and res['count'] == 1 - - def test_0003_find_OCSP(self): - """ - Search for the OCSP certificate. - """ - res = api.Command['cert_find'](subject=u'OCSP Subsystem') - - def test_0004_find_this_host(self): - """ - Find all certificates for this IPA server - """ - res = api.Command['cert_find'](subject=api.env.host) - assert 'count' in res and res['count'] > 1 - - def test_0005_find_this_host_exact(self): - """ - Find all certificates for this IPA server (exact) - """ - res = api.Command['cert_find'](subject=api.env.host, exactly=True) - assert 'count' in res and res['count'] > 1 - - def test_0006_find_this_short_host_exact(self): - """ - Find all certificates for this IPA server short name (exact) - """ - res = api.Command['cert_find'](subject=self.short, exactly=True) - assert 'count' in res and res['count'] == 0 - - def test_0007_find_revocation_reason_0(self): - """ - Find all certificates with revocation reason 0 - """ - res = api.Command['cert_find'](revocation_reason=0) - assert 'count' in res and res['count'] == 0 - - def test_0008_find_revocation_reason_1(self): - """ - Find all certificates with revocation reason 1 - """ - res = api.Command['cert_find'](revocation_reason=1) - assert 'count' in res and res['count'] == 0 - - def test_0009_find_revocation_reason_2(self): - """ - Find all certificates with revocation reason 2 - """ - res = api.Command['cert_find'](revocation_reason=2) - assert 'count' in res and res['count'] == 0 - - def test_0010_find_revocation_reason_3(self): - """ - Find all certificates with revocation reason 3 - """ - res = api.Command['cert_find'](revocation_reason=3) - assert 'count' in res and res['count'] == 0 - - def test_0011_find_revocation_reason_4(self): - """ - Find all certificates with revocation reason 4 - - There is no way to know in advance how many revoked certificates - we'll have but in the context of make-test we'll have at least one. - """ - res = api.Command['cert_find'](revocation_reason=4) - assert 'count' in res and res['count'] >= 1 - - def test_0012_find_revocation_reason_5(self): - """ - Find all certificates with revocation reason 5 - """ - res = api.Command['cert_find'](revocation_reason=5) - assert 'count' in res and res['count'] == 0 - - def test_0013_find_revocation_reason_6(self): - """ - Find all certificates with revocation reason 6 - """ - res = api.Command['cert_find'](revocation_reason=6) - assert 'count' in res and res['count'] == 0 - - # There is no revocation reason #7 - - def test_0014_find_revocation_reason_8(self): - """ - Find all certificates with revocation reason 8 - """ - res = api.Command['cert_find'](revocation_reason=8) - assert 'count' in res and res['count'] == 0 - - def test_0015_find_revocation_reason_9(self): - """ - Find all certificates with revocation reason 9 - """ - res = api.Command['cert_find'](revocation_reason=9) - assert 'count' in res and res['count'] == 0 - - def test_0016_find_revocation_reason_10(self): - """ - Find all certificates with revocation reason 10 - """ - res = api.Command['cert_find'](revocation_reason=10) - assert 'count' in res and res['count'] == 0 - - def test_0017_find_by_issuedon(self): - """ - Find all certificates issued since 2008 - """ - res = api.Command['cert_find'](issuedon_from=u'2008-01-01', - sizelimit=10) - assert 'count' in res and res['count'] == 10 - - def test_0018_find_through_issuedon(self): - """ - Find all certificates issued through 2008 - """ - res = api.Command['cert_find'](issuedon_to=u'2008-01-01', - sizelimit=10) - assert 'count' in res and res['count'] == 0 - - def test_0019_find_notvalid_before(self): - """ - Find all certificates valid not before 2008 - """ - res = api.Command['cert_find'](validnotbefore_from=u'2008-01-01', - sizelimit=10) - assert 'count' in res and res['count'] == 10 - - def test_0020_find_notvalid_before(self): - """ - Find all certificates valid not before to 2100 - """ - res = api.Command['cert_find'](validnotbefore_to=u'2100-01-01', - sizelimit=10) - assert 'count' in res and res['count'] == 10 - - def test_0021_find_notvalid_before(self): - """ - Find all certificates valid not before 2100 - """ - res = api.Command['cert_find'](validnotbefore_from=u'2100-01-01', - sizelimit=10) - assert 'count' in res and res['count'] == 0 - - def test_0022_find_notvalid_before(self): - """ - Find all certificates valid not before to 2008 - """ - res = api.Command['cert_find'](validnotbefore_to=u'2008-01-01', - sizelimit=10) - assert 'count' in res and res['count'] == 0 - - def test_0023_find_notvalid_after(self): - """ - Find all certificates valid not after 2008 - """ - res = api.Command['cert_find'](validnotafter_from=u'2008-01-01', - sizelimit=10) - assert 'count' in res and res['count'] == 10 - - def test_0024_find_notvalid_after(self): - """ - Find all certificates valid not after to 2100 - """ - res = api.Command['cert_find'](validnotafter_to=u'2100-01-01', - sizelimit=10) - assert 'count' in res and res['count'] == 10 - - def test_0025_find_notvalid_after(self): - """ - Find all certificates valid not after 2100 - """ - res = api.Command['cert_find'](validnotafter_from=u'2100-01-01', - sizelimit=10) - assert 'count' in res and res['count'] == 0 - - def test_0026_find_notvalid_after(self): - """ - Find all certificates valid not after to 2008 - """ - res = api.Command['cert_find'](validnotafter_to=u'2008-01-01', - sizelimit=10) - assert 'count' in res and res['count'] == 0 - - def test_0027_sizelimit_zero(self): - """ - Search with a sizelimit of 0 - """ - res = api.Command['cert_find'](sizelimit=0) - assert 'count' in res and res['count'] == 0 - - @raises(errors.ValidationError) - def test_0028_find_negative_size(self): - """ - Search with a negative sizelimit - """ - res = api.Command['cert_find'](sizelimit=-100) - - def test_0029_search_for_notfound(self): - """ - Search for a host that isn't there. - """ - res = api.Command['cert_find'](subject=u'notfound') - assert 'count' in res and res['count'] == 0 - - def test_0030_search_for_testcerts(self): - """ - Search for certs created in other tests - """ - res = api.Command['cert_find'](subject=u'ipatestcert.%s' % api.env.domain) - assert 'count' in res and res['count'] >= 1 - - @raises(errors.ValidationError) - def test_0031_search_on_invalid_date(self): - """ - Search using invalid date format - """ - res = api.Command['cert_find'](issuedon_from=u'xyz') |