1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
|
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
import base64
from ipalib import api, errors
from ipatests.util import assert_deepequal, raises
from xmlrpc_test import XMLRPC_test
from ipapython.dn import DN
from testcert import get_testcert
class CertManipCmdTestBase(XMLRPC_test):
entity_class = ''
entity_pkey = None
entity_subject = None
entity_principal = None
non_existent_entity = None
profile_store_orig = True
default_profile_id = u'caIPAserviceCert'
default_caacl = u'hosts_services_%s' % default_profile_id
cmd_options = dict(
entity_add=None,
caacl=None,
)
cert_add_cmd = None
cert_del_cmd = None
cert_add_summary = u''
cert_del_summary = u''
entity_attrs = None
@classmethod
def disable_profile_store(cls):
try:
api.Command.certprofile_mod(cls.default_profile_id,
ipacertprofilestoreissued=False)
except errors.EmptyModlist:
cls.profile_store_orig = False
else:
cls.profile_store_orig = True
@classmethod
def restore_profile_store(cls):
if cls.profile_store_orig:
api.Command.certprofile_mod(
cls.default_profile_id,
ipacertprofilestoreissued=cls.profile_store_orig)
@classmethod
def add_entity(cls):
api.Command['%s_add' % cls.entity_class](
cls.entity_pkey,
**cls.cmd_options['entity_add'])
@classmethod
def delete_entity(cls):
try:
api.Command['%s_del' % cls.entity_class](cls.entity_pkey)
except errors.NotFound:
pass
# optional methods which implement adding CA ACL rule so that we can
# request cert for the entity. Currently used only for users.
@classmethod
def add_caacl(cls):
pass
@classmethod
def remove_caacl(cls):
pass
@classmethod
def setup_class(cls):
super(CertManipCmdTestBase, cls).setup_class()
cls.delete_entity()
cls.add_entity()
cls.add_caacl()
cls.disable_profile_store()
# list of certificates to add to entry
cls.certs = [
get_testcert(DN(('CN', cls.entity_subject)), cls.entity_principal)
for i in xrange(3)
]
# list of certificates for testing of removal of non-existent certs
cls.nonexistent_certs = [
get_testcert(DN(('CN', cls.entity_subject)), cls.entity_principal)
for j in xrange(2)
]
# cert subset to remove from entry
cls.certs_subset = cls.certs[:2]
# remaining subset
cls.certs_remainder = cls.certs[2:]
# mixture of certs which exist and do not exists in the entry
cls.mixed_certs = cls.certs[:2] + cls.nonexistent_certs[:1]
# invalid base64 encoding
cls.invalid_b64 = [u'few4w24gvrae54y6463234f']
# malformed certificate
cls.malformed_cert = [base64.b64encode('malformed cert')]
# store entity info for the final test
cls.entity_attrs = api.Command['%s_show' % cls.entity_class](
cls.entity_pkey)
@classmethod
def teardown_class(cls):
cls.delete_entity()
cls.remove_caacl()
cls.restore_profile_store()
super(CertManipCmdTestBase, cls).teardown_class()
def add_certs(self, certs):
# pylint: disable=E1102
result = self.cert_add_cmd(self.entity_pkey, usercertificate=certs)
return dict(
usercertificate=result['result'].get('usercertificate', []),
value=result.get('value'),
summary=result.get('summary')
)
def remove_certs(self, certs):
# pylint: disable=E1102
result = self.cert_del_cmd(self.entity_pkey, usercertificate=certs)
return dict(
usercertificate=result['result'].get('usercertificate', []),
value=result.get('value'),
summary=result.get('summary')
)
def test_01_add_cert_to_nonexistent_entity(self):
"""
Tests whether trying to add certificates to a non-existent entry
raises NotFound error.
"""
raises(errors.NotFound, self.cert_add_cmd,
self.non_existent_entity, usercertificate=self.certs)
def test_02_remove_cert_from_nonexistent_entity(self):
"""
Tests whether trying to remove certificates from a non-existent entry
raises NotFound error.
"""
raises(errors.NotFound, self.cert_add_cmd,
self.non_existent_entity, usercertificate=self.certs)
def test_03_remove_cert_from_entity_with_no_certs(self):
"""
Attempt to remove certificates from an entity that has none raises
AttrValueNotFound
"""
raises(errors.AttrValueNotFound, self.remove_certs, self.certs)
def test_04_add_invalid_b64_blob_to_entity(self):
raises(errors.Base64DecodeError, self.add_certs, self.invalid_b64)
def test_05_add_malformed_cert_to_entity(self):
raises(errors.CertificateFormatError, self.add_certs,
self.malformed_cert)
def test_06_add_single_cert_to_entity(self):
"""
Add single certificate to entry
"""
assert_deepequal(
dict(
usercertificate=[base64.b64decode(self.certs[0])],
summary=self.cert_add_summary % self.entity_pkey,
value=self.entity_pkey,
),
self.add_certs([self.certs[0]])
)
def test_07_add_more_certs_to_entity(self):
"""
Add the rest of the certificate set to the entry.
"""
assert_deepequal(
dict(
usercertificate=map(base64.b64decode, self.certs),
summary=self.cert_add_summary % self.entity_pkey,
value=self.entity_pkey,
),
self.add_certs(self.certs[1:])
)
def test_08_add_already_present_cert_to_entity(self):
"""
Tests that ExecutionError is raised when attempting to add certificates
to the entry that already contains them.
"""
raises(
errors.ExecutionError,
self.add_certs,
self.certs_subset
)
def test_09_remove_nonexistent_certs_from_entity(self):
"""
Tests that an attempt to remove certificates that are not present in
the entry raises AttrValueNotFound
"""
raises(
errors.AttrValueNotFound,
self.remove_certs,
self.nonexistent_certs
)
def test_10_remove_valid_and_nonexistent_certs_from_entity(self):
"""
Try to remove multiple certificates. Some of them are not present in
the entry. This scenario should raise InvocationError.
"""
raises(
errors.AttrValueNotFound,
self.remove_certs,
self.mixed_certs
)
def test_11_remove_cert_subset_from_entity(self):
"""
Test correct removal of a subset of entry's certificates.
"""
assert_deepequal(
dict(
usercertificate=map(base64.b64decode,
self.certs_remainder),
summary=self.cert_del_summary % self.entity_pkey,
value=self.entity_pkey,
),
self.remove_certs(self.certs_subset)
)
def test_12_remove_remaining_certs_from_entity(self):
"""
Test correct removal of all the remaining certificates from the entry.
"""
assert_deepequal(
dict(
usercertificate=[],
summary=self.cert_del_summary % self.entity_pkey,
value=self.entity_pkey,
),
self.remove_certs(self.certs_remainder)
)
def test_99_check_final_entity_consistency(self):
"""
Tests that all the previous operations do not modify other attributes
of the entry. Make sure that the show command returns the same
information as in the beginning of the test suite.
"""
assert_deepequal(
self.entity_attrs,
api.Command['%s_show' % self.entity_class](self.entity_pkey)
)
class TestCertManipCmdUser(CertManipCmdTestBase):
entity_class = 'user'
entity_pkey = u'tuser'
entity_subject = entity_pkey
entity_principal = u'tuser'
non_existent_entity = u'nonexistentuser'
cmd_options = dict(
entity_add=dict(givenname=u'Test', sn=u'User'),
caacl=dict(user=[u'tuser']),
)
cert_add_cmd = api.Command.user_add_cert
cert_del_cmd = api.Command.user_remove_cert
cert_add_summary = u'Added certificates to user "%s"'
cert_del_summary = u'Removed certificates from user "%s"'
@classmethod
def add_caacl(cls):
api.Command['caacl_add_%s' % cls.entity_class](
cls.default_caacl, **cls.cmd_options['caacl'])
@classmethod
def remove_caacl(cls):
api.Command['caacl_remove_%s' % cls.entity_class](
cls.default_caacl, **cls.cmd_options['caacl'])
class TestCertManipCmdHost(CertManipCmdTestBase):
entity_class = 'host'
entity_pkey = u'host.example.com'
entity_subject = entity_pkey
entity_principal = u'host/%s' % entity_pkey
non_existent_entity = u'non.existent.host.com'
cmd_options = dict(
entity_add=dict(force=True),
)
cert_add_cmd = api.Command.host_add_cert
cert_del_cmd = api.Command.host_remove_cert
cert_add_summary = u'Added certificates to host "%s"'
cert_del_summary = u'Removed certificates from host "%s"'
class TestCertManipCmdService(CertManipCmdTestBase):
entity_class = 'service'
entity_pkey = u'testservice/%s@%s' % (TestCertManipCmdHost.entity_pkey,
api.env.realm)
entity_subject = TestCertManipCmdHost.entity_pkey
entity_principal = entity_pkey
non_existent_entity = u'testservice/non.existent.host.com'
cmd_options = dict(
entity_add=dict(force=True),
)
cert_add_cmd = api.Command.service_add_cert
cert_del_cmd = api.Command.service_remove_cert
cert_add_summary = u'Added certificates to service principal "%s"'
cert_del_summary = u'Removed certificates from service principal "%s"'
@classmethod
def add_entity(cls):
api.Command.host_add(TestCertManipCmdHost.entity_pkey, force=True)
super(TestCertManipCmdService, cls).add_entity()
@classmethod
def delete_entity(cls):
super(TestCertManipCmdService, cls).delete_entity()
try:
api.Command.host_del(TestCertManipCmdHost.entity_pkey)
except errors.NotFound:
pass
|
