From 88c44e8ea7c9583a552340141f2c4df07f5dab7b Mon Sep 17 00:00:00 2001 From: Asha Akkiangady Date: Mon, 16 Feb 2015 18:53:29 -0500 Subject: CA renewal manual, directory authenticated and sslclient self renewal tests. Subca usergroup tests and new tests added to ca's usergroup. --- tests/dogtag/Makefile | 4 + .../ca-tests/renewal/renew_DirAuthUserCert.sh | 2757 ++++++++++++++++ .../ca-tests/renewal/renew_caSSLClientCert.sh | 1560 +++++++++ .../legacy/ca-tests/renewal/renew_manual.sh | 3399 ++++++++++++++++++++ .../ca-tests/usergroups/pki-ca-usergroups.sh | 322 +- .../subca-tests/usergroups/subca-usergroups.sh | 842 +++++ tests/dogtag/runtest.sh | 39 +- tests/dogtag/shared/rhcs-shared.sh | 75 +- 8 files changed, 8973 insertions(+), 25 deletions(-) create mode 100644 tests/dogtag/acceptance/legacy/ca-tests/renewal/renew_DirAuthUserCert.sh create mode 100644 tests/dogtag/acceptance/legacy/ca-tests/renewal/renew_caSSLClientCert.sh create mode 100644 tests/dogtag/acceptance/legacy/ca-tests/renewal/renew_manual.sh create mode 100644 tests/dogtag/acceptance/legacy/subca-tests/usergroups/subca-usergroups.sh (limited to 'tests') diff --git a/tests/dogtag/Makefile b/tests/dogtag/Makefile index 556b9b971..73fa2213f 100755 --- a/tests/dogtag/Makefile +++ b/tests/dogtag/Makefile @@ -259,11 +259,15 @@ build: $(BUILT_FILES) chmod a+x ./acceptance/legacy/ca-tests/publishing/ca-admin-publishing.sh chmod a+x ./acceptance/legacy/ca-tests/cert-enrollment/ca-ag-certificates.sh chmod a+x ./acceptance/legacy/ca-tests/ocsp/ca-ee-ocsp.sh + chmod a+x ./acceptance/legacy/ca-tests/renewal/renew_manual.sh + chmod a+x ./acceptance/legacy/ca-tests/renewal/renew_DirAuthUserCert.sh + chmod a+x ./acceptance/legacy/ca-tests/renewal/renew_caSSLClientCert.sh chmod a+x ./acceptance/legacy/drm-tests/acls/drm-ad-acls.sh chmod a+x ./acceptance/legacy/drm-tests/agent/drm-ag-tests.sh chmod a+x ./acceptance/legacy/drm-tests/internaldb/drm-ad-internaldb.sh chmod a+x ./acceptance/legacy/drm-tests/usergroups/drm-ad-usergroups.sh chmod a+x ./acceptance/legacy/drm-tests/logs/drm-ad-logs.sh + chmod a+x ./acceptance/legacy/subca-tests/usergroups/subca-usergroups.sh chmod a+x ./acceptance/legacy/subca-tests/acls/subca-ad-acls.sh chmod a+x ./acceptance/legacy/subca-tests/internaldb/subca-ad-internaldb.sh chmod a+x ./acceptance/legacy/subca-tests/authplugin/subca-ad-authplugin.sh diff --git a/tests/dogtag/acceptance/legacy/ca-tests/renewal/renew_DirAuthUserCert.sh b/tests/dogtag/acceptance/legacy/ca-tests/renewal/renew_DirAuthUserCert.sh new file mode 100644 index 000000000..efb9964fa --- /dev/null +++ b/tests/dogtag/acceptance/legacy/ca-tests/renewal/renew_DirAuthUserCert.sh @@ -0,0 +1,2757 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/legacy-tests/ca-tests/renewal +# Description: PKI CA certificate renewal of Directory Authenticated user certificates +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# The following pki commands needs to be tested: +# /ca/ee/ca/ProfileSubmit profile caDirUserRenewal +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Asha Akkiangady +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/env.sh + +run_pki-legacy-ca-renew_dir_auth_user_cert_tests() +{ + local subsystemType=$1 + local csRole=$2 + + # Creating Temporary Directory for pki ca-renew-dir-auth-user-cert + rlPhaseStartSetup "pki ca renew directory auth user cert - Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "export SSL_DIR=$CERTDB_DIR" + #Forward the clock 40 days to test grace period + forward_system_clock 40 + rlPhaseEnd + + # Local Variables + get_topo_stack $csRole $TmpDir/topo_file + local CA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + local tomcat_name=$(eval echo \$${CA_INST}_TOMCAT_INSTANCE_NAME) + local ca_unsecure_port=$(eval echo \$${CA_INST}_UNSECURE_PORT) + local ca_secure_port=$(eval echo \$${CA_INST}_SECURE_PORT) + local ca_host=$(eval echo \$${csRole}) + local valid_agent_user=$CA_INST\_agentV + local valid_agent_user_password=$CA_INST\_agentV_password + local valid_admin_user=$CA_INST\_adminV + local valid_admin_user_password=$CA_INST\_adminV_password + local valid_audit_user=$CA_INST\_auditV + local valid_audit_user_password=$CA_INST\_auditV_password + local valid_operator_user=$CA_INST\_operatorV + local valid_operator_user_password=$CA_INST\_operatorV_password + local valid_agent_cert=$CA_INST\_agentV + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local ca_admin_user=$(eval echo \$${CA_INST}_ADMIN_USER) + local rand=$RANDOM + local tmp_junk_data=$(openssl rand -base64 50 | perl -p -e 's/\n//') + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local ca_db_suffix=$(eval echo \$${CA_INST}_DB_SUFFIX) + local ldap_conn_port=$(eval echo \$${CA_INST}_LDAP_PORT) + local ldap_rootdn=$(eval echo $LDAP_ROOTDN) + local ldap_rootdn_password=$(eval echo $LDAP_ROOTDNPWD) + disable_ca_nonce $tomcat_name + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-001: Renew a directory user cert that expire in the renew grace period" + #Change caDirUserCert.cfg profile to have cert validity range to be 20 days + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string="policyset.userCertSet.2.default.params.range=180" + local replace_string="policyset.userCertSet.2.default.params.range=20" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_001_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_001_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_001_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_001_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend1$rand + local ldap_user_password=rend1password + cat > $TmpDir/adduser1.ldif << adduser1.ldif_EOF + +version: 1 + + entry-id: 101 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser1.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser1.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_001_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_001_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_001_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_001_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_001_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_001_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_001_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_001_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_001_004.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_001_004_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_001_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_001_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_001_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_001_005.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-002: Renew a directory user cert that expired and in the renew grace period" + #set system clock 20 days older + reverse_system_clock 20 + + #Change caDirUserCert.cfg profile to have cert validity range to be 10 days + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string="policyset.userCertSet.2.default.params.range=180" + local replace_string="policyset.userCertSet.2.default.params.range=10" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_002_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_002_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_002_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_002_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend2$rand + local ldap_user_password=rend2password + cat > $TmpDir/adduser2.ldif << adduser2.ldif_EOF + +version: 1 + + entry-id: 102 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser2.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser2.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_002_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_002_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_002_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_002_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_002_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Set System Clock back to today + forward_system_clock 20 + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_002_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_002_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_002_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_002_004.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_002_004_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_002_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_002_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_002_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_002_005.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-003: Renew a directory user cert thats going to expire after the renew grace period BZ1182353" + #Change caDirUserCert.cfg profile to have cert validity range to be 31 days + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string="policyset.userCertSet.2.default.params.range=180" + local replace_string="policyset.userCertSet.2.default.params.range=31" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_003_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_003_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_003_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_003_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend3$rand + local ldap_user_password=rend3password + cat > $TmpDir/adduser3.ldif << adduser3.ldif_EOF + +version: 1 + + entry-id: 103 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser3.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser3.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_003_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_003_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_003_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_003_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_003_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_003_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_003_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_003_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_003_004.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_dir_auth_usercert_003_004_2.txt" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_003_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_003_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_003_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_003_005.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-004: Renew a directory user cert that expired and outside the renew grace period BZ1182353" + #set system clock 34 days older + reverse_system_clock 34 + + #Change caDirUserCert.cfg profile to have cert validity range to be 3 days + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string="policyset.userCertSet.2.default.params.range=180" + local replace_string="policyset.userCertSet.2.default.params.range=3" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_004_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_004_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_004_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_004_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend2$rand + local ldap_user_password=rend4password + cat > $TmpDir/adduser4.ldif << adduser4.ldif_EOF + +version: 1 + + entry-id: 104 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser4.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser4.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_004_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_004_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_004_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_004_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_004_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Set System Clock back to today + forward_system_clock 34 + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_004_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_004_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_004_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_004_004.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_dir_auth_usercert_004_004_2.txt" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_004_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_004_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_004_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_004_005.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-005: Renew a directory user cert when userid is not provided" + #Change caDirUserCert.cfg profile to have cert validity range to be 20 days + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string="policyset.userCertSet.2.default.params.range=180" + local replace_string="policyset.userCertSet.2.default.params.range=20" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_005_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_005_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_005_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend5$rand + local ldap_user_password=rend5password + cat > $TmpDir/adduser5.ldif << adduser5.ldif_EOF + +version: 1 + + entry-id: 105 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser5.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser5.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_005_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_005_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_005_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_005_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_005_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_005_004.txt \ + -d \"profileId=$renew_profile_id&uid= &pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_005_004.txt \ + -d \"profileId=$renew_profile_id&uid= &pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_005_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_005_004.txt" + rlAssertGrep "Invalid Credential" "$TmpDir/ca_renew_dir_auth_usercert_005_004_2.txt" + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_005_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_005_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_005_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_005_005.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-006: Renew a directory user cert when certificate is a non directory usercert" + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_006_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_006_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_006_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_006_1.txt" + + #Add ldap user + local rand=$RANDOM + local userid=rend6$rand + local password=password$userid + cat > $TmpDir/adduser6.ldif << adduser6.ldif_EOF + +version: 1 + + entry-id: 106 +dn: uid=$userid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $userid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$userid +loginshell: /bin/bash +userPassword: $password +adduser6.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser6.ldif" 0 + + #user certificate enrollment using profile caUserCert + local fullname=$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_006_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_006_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_006_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_006_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_006_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_006_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_006_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_dir_auth_usercert_006_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_006_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_006_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_006_004.txt \ + -d \"profileId=$renew_profile_id&uid=$userid&pwd=$password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_006_004.txt \ + -d \"profileId=$renew_profile_id&uid=$userid&pwd=$password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_006_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_006_004.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_006_004_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_006_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_006_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_006_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_006_005.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-007: Renew a directory user cert when userid is a long string" + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_007_001.txt \ + -d \"profileId=$renew_profile_id&uid=rend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11user&pwd=rend7password&renewal=true&serial_num=2\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_007_001.txt \ + -d \"profileId=$renew_profile_id&uid=rend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11user&pwd=rend7password&renewal=true&serial_num=2\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_007_001_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_007_001.txt" + rlAssertGrep "Cannot load UserDirEnrollment" "$TmpDir/ca_renew_dir_auth_usercert_007_001_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-008: Renew a directory user cert when userpassword is a long string" + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_008_001.txt \ + -d \"profileId=$renew_profile_id&uid=rend8&pwd=rend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11user&renewal=true&serial_num=2\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_008_001.txt \ + -d \"profileId=$renew_profile_id&uid=rend8&pwd=rend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11userrend11user&renewal=true&serial_num=2\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_008_001_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_008_001.txt" + rlAssertGrep "Cannot load UserDirEnrollment" "$TmpDir/ca_renew_dir_auth_usercert_008_001_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-009: Renew a directory user cert when serial number field has a very long string" + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_009_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_009_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_009_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_009_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend9$rand + local ldap_user_password=rend9password + cat > $TmpDir/adduser1.ldif << adduser1.ldif_EOF + +version: 1 + + entry-id: 109 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser1.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser1.ldif" 0 + + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_009_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_009_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_009_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_009_004.txt" + rlAssertGrep "Record not found" "$TmpDir/ca_renew_dir_auth_usercert_009_004_2.txt" + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_009_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_009_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_009_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_009_005.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-010: Renew a directory user cert when grace period graceBefore value is a negative number" + #Change grace period graceBefore value to a negative number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string1="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string1="policyset.userCertSet.10.constraint.params.renewal.graceBefore=-10" + replace_string_in_a_file $profile_file $search_string1 $replace_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Change caDirUserCert.cfg profile to have cert validity range to be 20 days + local search_string2="policyset.userCertSet.2.default.params.range=180" + local replace_string2="policyset.userCertSet.2.default.params.range=20" + replace_string_in_a_file $profile_file $search_string2 $replace_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_010_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_010_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_010_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_010_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend10$rand + local ldap_user_password=rend10password + cat > $TmpDir/adduser10.ldif << adduser10.ldif_EOF + +version: 1 + + entry-id: 110 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser10.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser10.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_010_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_010_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_010_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_010_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_010_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string2 $search_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_010_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_010_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_010_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_010_004.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_010_004_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string1 $search_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_010_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_010_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_010_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_010_005.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-011: Renew a directory user cert when grace period graceBefore value is a smaller number" + #Change grace period graceBefore value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string1="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string1="policyset.userCertSet.10.constraint.params.renewal.graceBefore=1" + replace_string_in_a_file $profile_file $search_string1 $replace_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Change caDirUserCert.cfg profile to have cert validity range to be 1 day + local search_string2="policyset.userCertSet.2.default.params.range=180" + local replace_string2="policyset.userCertSet.2.default.params.range=1" + replace_string_in_a_file $profile_file $search_string2 $replace_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_011_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_011_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_011_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_011_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend11$rand + local ldap_user_password=rend11password + cat > $TmpDir/adduser11.ldif << adduser11.ldif_EOF + +version: 1 + + entry-id: 111 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser11.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser11.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_011_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_011_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_011_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_011_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_011_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string2 $search_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_011_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_011_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_011_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_011_004.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_011_004_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string1 $search_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_011_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_011_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_011_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_011_005.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-012: Renew a directory user cert outside renew grace period when grace period graceBefore value is a smaller number BZ1182353" + #Change grace period graceBefore value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string1="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string1="policyset.userCertSet.10.constraint.params.renewal.graceBefore=1" + replace_string_in_a_file $profile_file $search_string1 $replace_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Change caDirUserCert.cfg profile to have cert validity range to be 10 days + local search_string2="policyset.userCertSet.2.default.params.range=180" + local replace_string2="policyset.userCertSet.2.default.params.range=10" + replace_string_in_a_file $profile_file $search_string2 $replace_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_012_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_012_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_012_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_012_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend12$rand + local ldap_user_password=rend12password + cat > $TmpDir/adduser12.ldif << adduser12.ldif_EOF + +version: 1 + + entry-id: 112 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser12.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser12.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_012_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_012_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_012_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_012_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_012_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string2 $search_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_012_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_012_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_012_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_012_004.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_dir_auth_usercert_012_004_2.txt" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string1 $search_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_012_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_012_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_012_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_012_005.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-013: Renew a directory user cert when grace period graceBefore value is a bigger number" + #Change grace period graceBefore value to a bigger number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string1="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string1="policyset.userCertSet.10.constraint.params.renewal.graceBefore=360" + replace_string_in_a_file $profile_file $search_string1 $replace_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Change caDirUserCert.cfg profile to have cert validity range to be 1 day + local search_string2="policyset.userCertSet.2.default.params.range=180" + local replace_string2="policyset.userCertSet.2.default.params.range=359" + replace_string_in_a_file $profile_file $search_string2 $replace_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_013_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_013_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_013_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_013_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend13$rand + local ldap_user_password=rend13password + cat > $TmpDir/adduser13.ldif << adduser13.ldif_EOF + +version: 1 + + entry-id: 113 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser13.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser13.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_013_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_013_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_013_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_013_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_013_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string2 $search_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_013_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_013_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_013_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_013_004.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_013_004_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string1 $search_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_013_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_013_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_013_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_013_005.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-014: Renew a directory user cert outside renew grace period when grace period graceBefore value is a bigger number BZ1182353" + #Change grace period graceBefore value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string1="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string1="policyset.userCertSet.10.constraint.params.renewal.graceBefore=360" + replace_string_in_a_file $profile_file $search_string1 $replace_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Change caDirUserCert.cfg profile to have cert validity range to be 362 days + local search_string2="policyset.userCertSet.2.default.params.range=180" + local replace_string2="policyset.userCertSet.2.default.params.range=362" + replace_string_in_a_file $profile_file $search_string2 $replace_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_014_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_014_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_014_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_014_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend14$rand + local ldap_user_password=rend14password + cat > $TmpDir/adduser14.ldif << adduser14.ldif_EOF + +version: 1 + + entry-id: 114 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser14.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser14.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_014_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_014_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_014_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_014_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_014_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string2 $search_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_014_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_014_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_014_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_014_004.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_dir_auth_usercert_014_004_2.txt" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string1 $search_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_014_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_014_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_014_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_014_005.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-015: Renew a directory user cert when grace period graceAfter value is a smaller number" + #set system clock 34 days older + reverse_system_clock 34 + + #Change grace period graceAfter value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string1="policyset.userCertSet.10.constraint.params.renewal.graceAfter=30" + local replace_string1="policyset.userCertSet.10.constraint.params.renewal.graceAfter=2" + replace_string_in_a_file $profile_file $search_string1 $replace_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Change caDirUserCert.cfg profile to have cert validity range to be 33 days + local search_string2="policyset.userCertSet.2.default.params.range=180" + local replace_string2="policyset.userCertSet.2.default.params.range=33" + replace_string_in_a_file $profile_file $search_string2 $replace_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_015_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_015_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_015_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_015_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend15$rand + local ldap_user_password=rend15password + cat > $TmpDir/adduser15.ldif << adduser15.ldif_EOF + +version: 1 + + entry-id: 115 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser15.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser15.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_015_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_015_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_015_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_015_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_015_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Set System Clock back to today + forward_system_clock 34 + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string2 $search_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_015_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_015_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_015_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_015_004.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_015_004_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Change grace period graceAfter value to original value 30 + replace_string_in_a_file $profile_file $replace_string1 $search_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_015_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_015_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_015_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_015_005.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-016: Renew a directory user cert outside renew grace period when grace period graceAfter value is a smaller number BZ1182353" + #set system clock 34 days older + reverse_system_clock 34 + + #Change grace period graceAfter value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string1="policyset.userCertSet.10.constraint.params.renewal.graceAfter=30" + local replace_string1="policyset.userCertSet.10.constraint.params.renewal.graceAfter=2" + replace_string_in_a_file $profile_file $search_string1 $replace_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Change caDirUserCert.cfg profile to have cert validity range to be 31 days + local search_string2="policyset.userCertSet.2.default.params.range=180" + local replace_string2="policyset.userCertSet.2.default.params.range=31" + replace_string_in_a_file $profile_file $search_string2 $replace_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_016_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_016_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_016_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_016_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend16$rand + local ldap_user_password=rend16password + cat > $TmpDir/adduser16.ldif << adduser16.ldif_EOF + +version: 1 + + entry-id: 116 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser16.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser16.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_016_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_016_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_016_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_016_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_016_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Set System Clock back to today + forward_system_clock 34 + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string2 $search_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_016_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_016_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_016_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_016_004.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_dir_auth_usercert_016_004_2.txt" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + + #Change grace period graceAfter value to original value 30 + replace_string_in_a_file $profile_file $replace_string1 $search_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_016_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_016_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_016_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_016_005.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-017: Renew a directory user cert when grace period graceAfter value is a bigger number" + #set system clock 37 days older + reverse_system_clock 37 + + #Change grace period graceAfter value to a bigger number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string1="policyset.userCertSet.10.constraint.params.renewal.graceAfter=30" + local replace_string1="policyset.userCertSet.10.constraint.params.renewal.graceAfter=360" + replace_string_in_a_file $profile_file $search_string1 $replace_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Change caDirUserCert.cfg profile to have cert validity range to be 1 day + local search_string2="policyset.userCertSet.2.default.params.range=180" + local replace_string2="policyset.userCertSet.2.default.params.range=1" + replace_string_in_a_file $profile_file $search_string2 $replace_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_017_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_017_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_017_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_017_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend17$rand + local ldap_user_password=rend17password + cat > $TmpDir/adduser17.ldif << adduser17.ldif_EOF + +version: 1 + + entry-id: 117 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser17.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser17.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_017_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_017_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_017_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_017_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_017_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Set System Clock back to today + forward_system_clock 37 + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string2 $search_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_017_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_017_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_017_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_017_004.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_017_004_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Change grace period graceAfter value to original value 30 + replace_string_in_a_file $profile_file $replace_string1 $search_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_017_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_017_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_017_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_017_005.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-018: Renew a directory user cert outside renew grace period when grace period graceAfter value is a bigger number BZ1182353" + #set system clock 37 days older + reverse_system_clock 37 + + #Change grace period graceAfter value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string1="policyset.userCertSet.10.constraint.params.renewal.graceAfter=30" + local replace_string1="policyset.userCertSet.10.constraint.params.renewal.graceAfter=35" + replace_string_in_a_file $profile_file $search_string1 $replace_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Change caDirUserCert.cfg profile to have cert validity range to be 1 day + local search_string2="policyset.userCertSet.2.default.params.range=180" + local replace_string2="policyset.userCertSet.2.default.params.range=1" + replace_string_in_a_file $profile_file $search_string2 $replace_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_018_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_018_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_018_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_018_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend18$rand + local ldap_user_password=rend18password + cat > $TmpDir/adduser18.ldif << adduser18.ldif_EOF + +version: 1 + + entry-id: 118 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser18.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser18.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_018_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_018_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_018_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_018_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_018_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Set System Clock back to today + forward_system_clock 37 + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string2 $search_string2 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_018_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_018_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_018_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_018_004.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_dir_auth_usercert_018_004_2.txt" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + + #Change grace period graceAfter value to original value 30 + replace_string_in_a_file $profile_file $replace_string1 $search_string1 + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_018_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_018_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_018_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_018_005.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-019: Renew a revoked directory user cert that epires in renew grace period - manually approved by a valid agent" + #Change caDirUserCert.cfg profile to have cert validity range to be 20 days + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string="policyset.userCertSet.2.default.params.range=180" + local replace_string="policyset.userCertSet.2.default.params.range=20" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_019_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_019_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_019_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_019_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend19$rand + local ldap_user_password=rend19password + cat > $TmpDir/adduser19.ldif << adduser19.ldif_EOF + +version: 1 + + entry-id: 119 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser19.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser19.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_019_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_019_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_019_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_019_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_019_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Revoke the cert + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local invalidity_time=$(($(date +%s%N)/1000000)) + serial_number_in_decimal=$((${serial_number})) + serial_number_only=${serial_number:2:$serial_length} + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_019_004.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=doRevoke&submit=submit&serialNumber=$serial_number_only&$serial_number_only=on&revocationReason=0&revokeAll=%28%7C%28certRecordId%3D$serial_number_in_decimal%29%29&invalidityDate=$invalidity_time&day=$Day&month=$Month&year=$Year&totalRecordCount=1&verifiedRecordCount=1&templateType=RevocationSuccess&csrRequestorComments=revokecerttest\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/doRevoke\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_019_004.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=doRevoke&submit=submit&serialNumber=$serial_number_only&$serial_number_only=on&revocationReason=0&revokeAll=%28%7C%28certRecordId%3D$serial_number_in_decimal%29%29&invalidityDate=$invalidity_time&day=$Day&month=$Month&year=$Year&totalRecordCount=1&verifiedRecordCount=1&templateType=RevocationSuccess&csrRequestorComments=revokecerttest\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/ca_renew_dir_auth_usercert_019_004_2.txt" 0 "Submit Certificate Revoke request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_019_004.txt" + rlAssertGrep "revoked = \"yes\"" "$TmpDir/ca_renew_dir_auth_usercert_019_004_2.txt" + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_019_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_019_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_019_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_019_004.txt" + rlAssertGrep "Cannot renew a revoked certificate" "$TmpDir/ca_renew_dir_auth_usercert_019_004_2.txt" + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_019_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_019_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_019_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_019_005.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert-020: Renew a revoked expired directory user cert" + #set system clock 37 days older + reverse_system_clock 37 + + #Change caDirUserCert.cfg profile to have cert validity range to be 1 day + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string="policyset.userCertSet.2.default.params.range=180" + local replace_string="policyset.userCertSet.2.default.params.range=20" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth authentication plugin + local plugin_id="UserDirEnrollment" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_020_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_020_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=$plugin_id&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_020_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_020_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=rend20$rand + local ldap_user_password=rend20password + cat > $TmpDir/adduser20.ldif << adduser20.ldif_EOF + +version: 1 + + entry-id: 120 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser20.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser20.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_020_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_020_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_020_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_020_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_dir_auth_usercert_020_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Revoke the cert + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local invalidity_time=$(($(date +%s%N)/1000000)) + serial_number_in_decimal=$((${serial_number})) + serial_number_only=${serial_number:2:$serial_length} + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_020_004.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=doRevoke&submit=submit&serialNumber=$serial_number_only&$serial_number_only=on&revocationReason=0&revokeAll=%28%7C%28certRecordId%3D$serial_number_in_decimal%29%29&invalidityDate=$invalidity_time&day=$Day&month=$Month&year=$Year&totalRecordCount=1&verifiedRecordCount=1&templateType=RevocationSuccess&csrRequestorComments=revokecerttest\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/doRevoke\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_020_004.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=doRevoke&submit=submit&serialNumber=$serial_number_only&$serial_number_only=on&revocationReason=0&revokeAll=%28%7C%28certRecordId%3D$serial_number_in_decimal%29%29&invalidityDate=$invalidity_time&day=$Day&month=$Month&year=$Year&totalRecordCount=1&verifiedRecordCount=1&templateType=RevocationSuccess&csrRequestorComments=revokecerttest\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/ca_renew_dir_auth_usercert_020_004_2.txt" 0 "Submit Certificate Revoke request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_020_004.txt" + rlAssertGrep "revoked = \"yes\"" "$TmpDir/ca_renew_dir_auth_usercert_020_004_2.txt" + + #Set System Clock back to today + forward_system_clock 37 + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Submit Renew certificate request + local renew_profile_id="caDirUserRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_020_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_020_004.txt \ + -d \"profileId=$renew_profile_id&uid=$ldap_uid&pwd=$ldap_user_password&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_dir_auth_usercert_020_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_020_004.txt" + rlAssertGrep "Cannot renew a revoked certificate" "$TmpDir/ca_renew_dir_auth_usercert_020_004_2.txt" + + #Cleanup: Delete uidpwddirauth authentication plugin + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_020_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_dir_auth_usercert_020_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=instance&RS_ID=$plugin_id\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_dir_auth_usercert_020_005_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_dir_auth_usercert_020_005.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_dir_auth_usercert_cleanup: Enable nonce and delete temporary directory" + #set system clock 40 days older, backto today's datetime + reverse_system_clock 40 + rlLog "tomcat name=$tomcat_name" + enable_ca_nonce $tomcat_name + #Delete temporary directory + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +} diff --git a/tests/dogtag/acceptance/legacy/ca-tests/renewal/renew_caSSLClientCert.sh b/tests/dogtag/acceptance/legacy/ca-tests/renewal/renew_caSSLClientCert.sh new file mode 100644 index 000000000..131608a58 --- /dev/null +++ b/tests/dogtag/acceptance/legacy/ca-tests/renewal/renew_caSSLClientCert.sh @@ -0,0 +1,1560 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/legacy-tests/ca-tests/renewal +# Description: Self renew user SSL client certificates +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# The following pki commands needs to be tested: +# /ca/ee/ca/ProfileSubmit profile caSSLClientSelfRenewal +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Asha Akkiangady +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/env.sh + +run_pki-legacy-ca-renew_self_ca_user_ssl_client_cert_tests() +{ + local subsystemType=$1 + local csRole=$2 + + # Creating Temporary Directory for pki Self Renew ca_user_ssl_client_cert + rlPhaseStartSetup "pki ca self renew caSSLClient cert - Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "export SSL_DIR=$CERTDB_DIR" + #Forward the clock 40 days to test grace period + # forward_system_clock 40 + rlPhaseEnd + + # Local Variables + get_topo_stack $csRole $TmpDir/topo_file + local CA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + local tomcat_name=$(eval echo \$${CA_INST}_TOMCAT_INSTANCE_NAME) + local ca_unsecure_port=$(eval echo \$${CA_INST}_UNSECURE_PORT) + local ca_secure_port=$(eval echo \$${CA_INST}_SECURE_PORT) + local ca_host=$(eval echo \$${csRole}) + local valid_agent_user=$CA_INST\_agentV + local valid_agent_user_password=$CA_INST\_agentV_password + local valid_admin_user=$CA_INST\_adminV + local valid_admin_user_password=$CA_INST\_adminV_password + local valid_audit_user=$CA_INST\_auditV + local valid_audit_user_password=$CA_INST\_auditV_password + local valid_operator_user=$CA_INST\_operatorV + local valid_operator_user_password=$CA_INST\_operatorV_password + local valid_agent_cert=$CA_INST\_agentV + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local ca_admin_user=$(eval echo \$${CA_INST}_ADMIN_USER) + local rand=$RANDOM + local tmp_junk_data=$(openssl rand -base64 50 | perl -p -e 's/\n//') + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local ca_db_suffix=$(eval echo \$${CA_INST}_DB_SUFFIX) + local ldap_conn_port=$(eval echo \$${CA_INST}_LDAP_PORT) + local ldap_rootdn=$(eval echo $LDAP_ROOTDN) + local ldap_rootdn_password=$(eval echo $LDAP_ROOTDNPWD) + disable_ca_nonce $tomcat_name + + rlPhaseStartTest "pki_ca_renew_self_sslclientcert-001: Self Renew a SSLClient cert that expires within the renew grace period" + local userid="rens1" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_001_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_001_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_001_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_001_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_001_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_001_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_001_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_self_sslclientcert_001_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_001_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_001_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Import the user certificate to a nssdb + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_001_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_001_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\" > $TmpDir/ca_renew_self_sslclientcert_001_004_2.txt" 0 "Submit displayBySerial request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_001_004.txt" + local certificate_in_base64=$(cat -v $TmpDir/ca_renew_self_sslclientcert_001_004_2.txt | grep 'header.certChainBase64' | awk -F 'header.certChainBase64 = "' '{print $2}' | awk 'gsub("\";$","")' | sed 's/\\r\\n//g') + local certificate_header="-----BEGIN CERTIFICATE-----" + local certificate_footer="-----END CERTIFICATE-----" + rlLog "CERTIFICATE_IN_BASE64=$certificate_in_base64" + local certificate_file=$TmpDir/ca_renew_self_sslclientcert_1.pem + echo "$certificate_header" > $certificate_file + echo "$certificate_in_base64" >> $certificate_file + echo "$certificate_footer" >> $certificate_file + install_and_trust_user_cert $certificate_file $userid $TEMP_NSS_DB + + #Submit Renew certificate request + rlRun "export SSL_DIR=$TEMP_NSS_DB" + local renew_profile_id="caSSLClientSelfRenewal" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_001_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_001_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_001_005_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_001_005.txt" + request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_001_005_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_001_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Make sure cerificate has 180 days validity + local notBefore=$(cat -v $TmpDir/ca_renew_self_sslclientcert_001_005_2.txt | grep 'Not Before' | awk -F 'Not Before: ' '{print $2}' | awk -F"Not After:" '{print $1}' | awk '{$NF="";sub(/\n+$/,"")}1') + local notAfter=$(cat -v $TmpDir/ca_renew_self_sslclientcert_001_005_2.txt | grep 'Not After' | awk -F 'Not After: ' '{print $2}' | awk -F"Subject:" '{print $1}' | awk '{$NF="";sub(/\n+$/,"")}1') + rlLog "notBefore=$notBefore" + rlLog "notAfter=$notAfter" + local notBefore_date=$(date --utc --date "$notBefore" +%s) + local notAfter_date=$(date --utc --date "$notAfter" +%s) + local number_of_days=$(( ($notAfter_date-$notBefore_date)/(3600*24) )) + rlLog "Certificate serial number $serial_number valid for $number_of_days days" + local expected_number_of_days=180 + if [ $number_of_days -ne $expected_number_of_days ] ; then + rlFail "Certificate range is not valid, expected:$expected_number_of_days got:$number_of_days" + fi + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Cleanup: + rlRun "export SSL_DIR=$CERTDB_DIR" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_self_sslclientcert-002: Self Renew a SSLClient cert that expires outside the renew grace period BZ1182353" + local userid="rens2" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_002_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_002_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_002_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_002_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_002_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + #Approve certificate request + #32 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+32 days' '+%Y') + local end_month=$(date -d '+32 days' '+%m') + local end_day=$(date -d '+32 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_002_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_002_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_self_sslclientcert_002_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_002_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_002_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Import the user certificate to a nssdb + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_002_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_002_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\" > $TmpDir/ca_renew_self_sslclientcert_002_004_2.txt" 0 "Submit displayBySerial request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_002_004.txt" + local certificate_in_base64=$(cat -v $TmpDir/ca_renew_self_sslclientcert_002_004_2.txt | grep 'header.certChainBase64' | awk -F 'header.certChainBase64 = "' '{print $2}' | awk 'gsub("\";$","")' | sed 's/\\r\\n//g') + local certificate_header="-----BEGIN CERTIFICATE-----" + local certificate_footer="-----END CERTIFICATE-----" + rlLog "CERTIFICATE_IN_BASE64=$certificate_in_base64" + local certificate_file=$TmpDir/ca_renew_self_sslclientcert_1.pem + echo "$certificate_header" > $certificate_file + echo "$certificate_in_base64" >> $certificate_file + echo "$certificate_footer" >> $certificate_file + install_and_trust_user_cert $certificate_file $userid $TEMP_NSS_DB + + #Submit Renew certificate request + rlRun "export SSL_DIR=$TEMP_NSS_DB" + local renew_profile_id="caSSLClientSelfRenewal" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_002_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_002_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_002_005_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_002_005.txt" + request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_002_005_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_self_sslclientcert_002_005_2.txt" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + + #Cleanup: + rlRun "export SSL_DIR=$CERTDB_DIR" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_self_sslclientcert-003: Self Renew a server cert that expires within the renew grace period" + local userid="rens3" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caServerCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_003_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_003_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_003_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_003_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_003_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_003_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=CN=$userid.example.com¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid.example.com\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_003_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=CN=$userid.example.com¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=true&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid.example.com\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_self_sslclientcert_003_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_003_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_003_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Import the user certificate to a nssdb + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_003_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_003_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\" > $TmpDir/ca_renew_self_sslclientcert_003_004_2.txt" 0 "Submit displayBySerial request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_003_004.txt" + local certificate_in_base64=$(cat -v $TmpDir/ca_renew_self_sslclientcert_003_004_2.txt | grep 'header.certChainBase64' | awk -F 'header.certChainBase64 = "' '{print $2}' | awk 'gsub("\";$","")' | sed 's/\\r\\n//g') + local certificate_header="-----BEGIN CERTIFICATE-----" + local certificate_footer="-----END CERTIFICATE-----" + rlLog "CERTIFICATE_IN_BASE64=$certificate_in_base64" + local certificate_file=$TmpDir/ca_renew_self_sslclientcert_1.pem + echo "$certificate_header" > $certificate_file + echo "$certificate_in_base64" >> $certificate_file + echo "$certificate_footer" >> $certificate_file + install_and_trust_user_cert $certificate_file $userid $TEMP_NSS_DB + + #Submit Renew certificate request + rlRun "export SSL_DIR=$TEMP_NSS_DB" + local renew_profile_id="caSSLClientSelfRenewal" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_003_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_003_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_003_005_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_003_005.txt" + request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_003_005_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_003_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Make sure cerificate has 180 days validity + local notBefore=$(cat -v $TmpDir/ca_renew_self_sslclientcert_003_005_2.txt | grep 'Not Before' | awk -F 'Not Before: ' '{print $2}' | awk -F"Not After:" '{print $1}' | awk '{$NF="";sub(/\n+$/,"")}1') + local notAfter=$(cat -v $TmpDir/ca_renew_self_sslclientcert_003_005_2.txt | grep 'Not After' | awk -F 'Not After: ' '{print $2}' | awk -F"Subject:" '{print $1}' | awk '{$NF="";sub(/\n+$/,"")}1') + rlLog "notBefore=$notBefore" + rlLog "notAfter=$notAfter" + local notBefore_date=$(date --utc --date "$notBefore" +%s) + local notAfter_date=$(date --utc --date "$notAfter" +%s) + local number_of_days=$(( ($notAfter_date-$notBefore_date)/(3600*24) )) + rlLog "Certificate serial number $serial_number valid for $number_of_days days" + local expected_number_of_days=720 + if [ $number_of_days -ne $expected_number_of_days ] ; then + rlFail "Certificate range is not valid, expected:$expected_number_of_days got:$number_of_days" + fi + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Cleanup: + rlRun "export SSL_DIR=$CERTDB_DIR" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_self_sslclientcert-004: Self Renew when a cert does not exist in nss db" + local userid="rens4" + + #Submit Renew certificate request + rlRun "export SSL_DIR=$TEMP_NSS_DB" + local renew_profile_id="caSSLClientSelfRenewal" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_004_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_004_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_004_005_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_004_005.txt" + rlAssertGrep "You have no certificates to be renewed or the certificates are malformed." "$TmpDir/ca_renew_self_sslclientcert_004_005_2.txt" + + #Cleanup: + rlRun "export SSL_DIR=$CERTDB_DIR" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_self_sslclientcert-005: Self Renew when graceBefore value is a smaller number and cert is in the renew grace period" + #Change grace period graceBefore value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=1" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="rens5" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_005_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_005_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_005_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_005_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_005_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + #Approve certificate request + #1 day validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+1 day' '+%Y') + local end_month=$(date -d '+1 day' '+%m') + local end_day=$(date -d '+1 day' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_005_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_005_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_self_sslclientcert_005_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_005_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_005_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Import the user certificate to a nssdb + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_005_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_005_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\" > $TmpDir/ca_renew_self_sslclientcert_005_004_2.txt" 0 "Submit displayBySerial request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_005_004.txt" + local certificate_in_base64=$(cat -v $TmpDir/ca_renew_self_sslclientcert_005_004_2.txt | grep 'header.certChainBase64' | awk -F 'header.certChainBase64 = "' '{print $2}' | awk 'gsub("\";$","")' | sed 's/\\r\\n//g') + local certificate_header="-----BEGIN CERTIFICATE-----" + local certificate_footer="-----END CERTIFICATE-----" + rlLog "CERTIFICATE_IN_BASE64=$certificate_in_base64" + local certificate_file=$TmpDir/ca_renew_self_sslclientcert_1.pem + echo "$certificate_header" > $certificate_file + echo "$certificate_in_base64" >> $certificate_file + echo "$certificate_footer" >> $certificate_file + install_and_trust_user_cert $certificate_file $userid $TEMP_NSS_DB + + #Submit Renew certificate request + rlRun "export SSL_DIR=$TEMP_NSS_DB" + local renew_profile_id="caSSLClientSelfRenewal" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_005_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_005_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_005_005_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_005_005.txt" + request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_005_005_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_005_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Make sure cerificate has 180 days validity + local notBefore=$(cat -v $TmpDir/ca_renew_self_sslclientcert_005_005_2.txt | grep 'Not Before' | awk -F 'Not Before: ' '{print $2}' | awk -F"Not After:" '{print $1}' | awk '{$NF="";sub(/\n+$/,"")}1') + local notAfter=$(cat -v $TmpDir/ca_renew_self_sslclientcert_005_005_2.txt | grep 'Not After' | awk -F 'Not After: ' '{print $2}' | awk -F"Subject:" '{print $1}' | awk '{$NF="";sub(/\n+$/,"")}1') + rlLog "notBefore=$notBefore" + rlLog "notAfter=$notAfter" + local notBefore_date=$(date --utc --date "$notBefore" +%s) + local notAfter_date=$(date --utc --date "$notAfter" +%s) + local number_of_days=$(( ($notAfter_date-$notBefore_date)/(3600*24) )) + rlLog "Certificate serial number $serial_number valid for $number_of_days days" + local expected_number_of_days=180 + if [ $number_of_days -ne $expected_number_of_days ] ; then + rlFail "Certificate range is not valid, expected:$expected_number_of_days got:$number_of_days" + fi + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Cleanup: + rlRun "export SSL_DIR=$CERTDB_DIR" + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_self_sslclientcert-006: Self Renew when graceBefore value is a smaller number and cert is expiring outside the renew grace period BZ1182353" + #Change grace period graceBefore value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=1" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="rens6" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_006_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_006_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_006_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_006_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_006_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + #Approve certificate request + #5 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+5 days' '+%Y') + local end_month=$(date -d '+5 days' '+%m') + local end_day=$(date -d '+5 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_006_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_006_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_self_sslclientcert_006_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_006_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_006_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Import the user certificate to a nssdb + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_006_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_006_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\" > $TmpDir/ca_renew_self_sslclientcert_006_004_2.txt" 0 "Submit displayBySerial request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_006_004.txt" + local certificate_in_base64=$(cat -v $TmpDir/ca_renew_self_sslclientcert_006_004_2.txt | grep 'header.certChainBase64' | awk -F 'header.certChainBase64 = "' '{print $2}' | awk 'gsub("\";$","")' | sed 's/\\r\\n//g') + local certificate_header="-----BEGIN CERTIFICATE-----" + local certificate_footer="-----END CERTIFICATE-----" + rlLog "CERTIFICATE_IN_BASE64=$certificate_in_base64" + local certificate_file=$TmpDir/ca_renew_self_sslclientcert_1.pem + echo "$certificate_header" > $certificate_file + echo "$certificate_in_base64" >> $certificate_file + echo "$certificate_footer" >> $certificate_file + install_and_trust_user_cert $certificate_file $userid $TEMP_NSS_DB + + #Submit Renew certificate request + rlRun "export SSL_DIR=$TEMP_NSS_DB" + local renew_profile_id="caSSLClientSelfRenewal" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_006_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_006_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_006_005_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_006_005.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_self_sslclientcert_006_005_2.txt" + request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_006_005_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + + #Cleanup: + rlRun "export SSL_DIR=$CERTDB_DIR" + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_self_sslclientcert-007: Self Renew when graceBefore value is a bigger number and cert is in the renew grace period" + #Change grace period graceBefore value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=364" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="rens7" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_007_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_007_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_007_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_007_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_007_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + #Approve certificate request + #364 day validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+364 days' '+%Y') + local end_month=$(date -d '+364 days' '+%m') + local end_day=$(date -d '+364 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_007_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_007_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_self_sslclientcert_007_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_007_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_007_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Import the user certificate to a nssdb + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_007_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_007_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\" > $TmpDir/ca_renew_self_sslclientcert_007_004_2.txt" 0 "Submit displayBySerial request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_007_004.txt" + local certificate_in_base64=$(cat -v $TmpDir/ca_renew_self_sslclientcert_007_004_2.txt | grep 'header.certChainBase64' | awk -F 'header.certChainBase64 = "' '{print $2}' | awk 'gsub("\";$","")' | sed 's/\\r\\n//g') + local certificate_header="-----BEGIN CERTIFICATE-----" + local certificate_footer="-----END CERTIFICATE-----" + rlLog "CERTIFICATE_IN_BASE64=$certificate_in_base64" + local certificate_file=$TmpDir/ca_renew_self_sslclientcert_1.pem + echo "$certificate_header" > $certificate_file + echo "$certificate_in_base64" >> $certificate_file + echo "$certificate_footer" >> $certificate_file + install_and_trust_user_cert $certificate_file $userid $TEMP_NSS_DB + + #Submit Renew certificate request + rlRun "export SSL_DIR=$TEMP_NSS_DB" + local renew_profile_id="caSSLClientSelfRenewal" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_007_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_007_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_007_005_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_007_005.txt" + request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_007_005_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_007_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Make sure cerificate has 180 days validity + local notBefore=$(cat -v $TmpDir/ca_renew_self_sslclientcert_007_005_2.txt | grep 'Not Before' | awk -F 'Not Before: ' '{print $2}' | awk -F"Not After:" '{print $1}' | awk '{$NF="";sub(/\n+$/,"")}1') + local notAfter=$(cat -v $TmpDir/ca_renew_self_sslclientcert_007_005_2.txt | grep 'Not After' | awk -F 'Not After: ' '{print $2}' | awk -F"Subject:" '{print $1}' | awk '{$NF="";sub(/\n+$/,"")}1') + rlLog "notBefore=$notBefore" + rlLog "notAfter=$notAfter" + local notBefore_date=$(date --utc --date "$notBefore" +%s) + local notAfter_date=$(date --utc --date "$notAfter" +%s) + local number_of_days=$(( ($notAfter_date-$notBefore_date)/(3600*24) )) + rlLog "Certificate serial number $serial_number valid for $number_of_days days" + local expected_number_of_days=180 + if [ $number_of_days -ne $expected_number_of_days ] ; then + rlFail "Certificate range is not valid, expected:$expected_number_of_days got:$number_of_days" + fi + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Cleanup: + rlRun "export SSL_DIR=$CERTDB_DIR" + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_self_sslclientcert-008: Self Renew when graceBefore value is a bigger number and cert is expiring outside the renew grace period BZ1182353" + #Change grace period graceBefore value to a bigger number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=363" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="rens8" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_008_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_008_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_008_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_008_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_008_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + #Approve certificate request + #365 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+365 days' '+%Y') + local end_month=$(date -d '+365 days' '+%m') + local end_day=$(date -d '+365 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_008_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_008_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_self_sslclientcert_008_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_008_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_008_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Import the user certificate to a nssdb + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_008_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_008_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\" > $TmpDir/ca_renew_self_sslclientcert_008_004_2.txt" 0 "Submit displayBySerial request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_008_004.txt" + local certificate_in_base64=$(cat -v $TmpDir/ca_renew_self_sslclientcert_008_004_2.txt | grep 'header.certChainBase64' | awk -F 'header.certChainBase64 = "' '{print $2}' | awk 'gsub("\";$","")' | sed 's/\\r\\n//g') + local certificate_header="-----BEGIN CERTIFICATE-----" + local certificate_footer="-----END CERTIFICATE-----" + rlLog "CERTIFICATE_IN_BASE64=$certificate_in_base64" + local certificate_file=$TmpDir/ca_renew_self_sslclientcert_1.pem + echo "$certificate_header" > $certificate_file + echo "$certificate_in_base64" >> $certificate_file + echo "$certificate_footer" >> $certificate_file + install_and_trust_user_cert $certificate_file $userid $TEMP_NSS_DB + + #Submit Renew certificate request + rlRun "export SSL_DIR=$TEMP_NSS_DB" + local renew_profile_id="caSSLClientSelfRenewal" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_008_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_008_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_008_005_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_008_005.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_self_sslclientcert_008_005_2.txt" + request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_008_005_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + + #Cleanup: + rlRun "export SSL_DIR=$CERTDB_DIR" + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_self_sslclientcert-009: Self Renew when graceBefore value is a negative number and cert is in the renew grace period" + #Change grace period graceBefore value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=-10" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="rens9" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_009_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_009_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_009_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_009_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_009_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + #Approve certificate request + #50 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+50 days' '+%Y') + local end_month=$(date -d '+50 days' '+%m') + local end_day=$(date -d '+50 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_009_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_009_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_self_sslclientcert_009_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_009_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_009_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Import the user certificate to a nssdb + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_009_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_009_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\" > $TmpDir/ca_renew_self_sslclientcert_009_004_2.txt" 0 "Submit displayBySerial request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_009_004.txt" + local certificate_in_base64=$(cat -v $TmpDir/ca_renew_self_sslclientcert_009_004_2.txt | grep 'header.certChainBase64' | awk -F 'header.certChainBase64 = "' '{print $2}' | awk 'gsub("\";$","")' | sed 's/\\r\\n//g') + local certificate_header="-----BEGIN CERTIFICATE-----" + local certificate_footer="-----END CERTIFICATE-----" + rlLog "CERTIFICATE_IN_BASE64=$certificate_in_base64" + local certificate_file=$TmpDir/ca_renew_self_sslclientcert_1.pem + echo "$certificate_header" > $certificate_file + echo "$certificate_in_base64" >> $certificate_file + echo "$certificate_footer" >> $certificate_file + install_and_trust_user_cert $certificate_file $userid $TEMP_NSS_DB + + #Submit Renew certificate request + rlRun "export SSL_DIR=$TEMP_NSS_DB" + local renew_profile_id="caSSLClientSelfRenewal" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_009_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_009_005.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_009_005_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_009_005.txt" + request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_009_005_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_009_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Make sure cerificate has 180 days validity + local notBefore=$(cat -v $TmpDir/ca_renew_self_sslclientcert_009_005_2.txt | grep 'Not Before' | awk -F 'Not Before: ' '{print $2}' | awk -F"Not After:" '{print $1}' | awk '{$NF="";sub(/\n+$/,"")}1') + local notAfter=$(cat -v $TmpDir/ca_renew_self_sslclientcert_009_005_2.txt | grep 'Not After' | awk -F 'Not After: ' '{print $2}' | awk -F"Subject:" '{print $1}' | awk '{$NF="";sub(/\n+$/,"")}1') + rlLog "notBefore=$notBefore" + rlLog "notAfter=$notAfter" + local notBefore_date=$(date --utc --date "$notBefore" +%s) + local notAfter_date=$(date --utc --date "$notAfter" +%s) + local number_of_days=$(( ($notAfter_date-$notBefore_date)/(3600*24) )) + rlLog "Certificate serial number $serial_number valid for $number_of_days days" + local expected_number_of_days=180 + if [ $number_of_days -ne $expected_number_of_days ] ; then + rlFail "Certificate range is not valid, expected:$expected_number_of_days got:$number_of_days" + fi + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + + #Cleanup: + rlRun "export SSL_DIR=$CERTDB_DIR" + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_self_sslclientcert-010: Self Renew a revoked SSLClient cert that expires within the renew grace period" + local userid="rens10" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_010_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_010_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_010_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_010_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_010_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + #Approve certificate request + #20 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+20 days' '+%Y') + local end_month=$(date -d '+20 days' '+%m') + local end_day=$(date -d '+20 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_010_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_010_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_self_sslclientcert_010_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_010_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_010_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Import the user certificate to a nssdb + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_010_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_010_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\" > $TmpDir/ca_renew_self_sslclientcert_010_004_2.txt" 0 "Submit displayBySerial request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_010_004.txt" + local certificate_in_base64=$(cat -v $TmpDir/ca_renew_self_sslclientcert_010_004_2.txt | grep 'header.certChainBase64' | awk -F 'header.certChainBase64 = "' '{print $2}' | awk 'gsub("\";$","")' | sed 's/\\r\\n//g') + local certificate_header="-----BEGIN CERTIFICATE-----" + local certificate_footer="-----END CERTIFICATE-----" + rlLog "CERTIFICATE_IN_BASE64=$certificate_in_base64" + local certificate_file=$TmpDir/ca_renew_self_sslclientcert_1.pem + echo "$certificate_header" > $certificate_file + echo "$certificate_in_base64" >> $certificate_file + echo "$certificate_footer" >> $certificate_file + install_and_trust_user_cert $certificate_file $userid $TEMP_NSS_DB + + #Revoke the cert + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local invalidity_time=$(($(date +%s%N)/1000000)) + + serial_number_in_decimal=$((${serial_number})) + serial_number_only=${serial_number:2:$serial_length} + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_010_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=doRevoke&submit=submit&serialNumber=$serial_number_only&$serial_number_only=on&revocationReason=0&revokeAll=%28%7C%28certRecordId%3D$serial_number_in_decimal%29%29&invalidityDate=$invalidity_time&day=$Day&month=$Month&year=$Year&totalRecordCount=1&verifiedRecordCount=1&templateType=RevocationSuccess&csrRequestorComments=revokecerttest\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/doRevoke\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_010_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=doRevoke&submit=submit&serialNumber=$serial_number_only&$serial_number_only=on&revocationReason=0&revokeAll=%28%7C%28certRecordId%3D$serial_number_in_decimal%29%29&invalidityDate=$invalidity_time&day=$Day&month=$Month&year=$Year&totalRecordCount=1&verifiedRecordCount=1&templateType=RevocationSuccess&csrRequestorComments=revokecerttest\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/ca_renew_self_sslclientcert_010_005_2.txt" 0 "Submit Certificate Rovoke request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_010_005.txt" + rlAssertGrep "revoked = \"yes\"" "$TmpDir/ca_renew_self_sslclientcert_010_005_2.txt" + + #Submit Renew certificate request + rlRun "export SSL_DIR=$TEMP_NSS_DB" + local renew_profile_id="caSSLClientSelfRenewal" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_010_006.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_010_006.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_010_006_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_010_006.txt" + rlAssertGrep "Cannot renew a revoked certificate" "$TmpDir/ca_renew_self_sslclientcert_010_006_2.txt" + request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_010_006_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Cleanup: + rlRun "export SSL_DIR=$CERTDB_DIR" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_self_sslclientcert-011: Self Renew a revoked SSLClient cert when its outside the renew grace period" + local userid="rens11" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_011_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_011_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_011_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_011_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_011_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + #Approve certificate request + #50 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+50 days' '+%Y') + local end_month=$(date -d '+50 days' '+%m') + local end_day=$(date -d '+50 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_011_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_011_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_self_sslclientcert_011_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_011_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_self_sslclientcert_011_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Import the user certificate to a nssdb + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_011_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_011_004.txt \ + -d \"op=displayBySerial&serialNumber=$serial_number\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/displayBySerial\" > $TmpDir/ca_renew_self_sslclientcert_011_004_2.txt" 0 "Submit displayBySerial request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_011_004.txt" + local certificate_in_base64=$(cat -v $TmpDir/ca_renew_self_sslclientcert_011_004_2.txt | grep 'header.certChainBase64' | awk -F 'header.certChainBase64 = "' '{print $2}' | awk 'gsub("\";$","")' | sed 's/\\r\\n//g') + local certificate_header="-----BEGIN CERTIFICATE-----" + local certificate_footer="-----END CERTIFICATE-----" + rlLog "CERTIFICATE_IN_BASE64=$certificate_in_base64" + local certificate_file=$TmpDir/ca_renew_self_sslclientcert_1.pem + echo "$certificate_header" > $certificate_file + echo "$certificate_in_base64" >> $certificate_file + echo "$certificate_footer" >> $certificate_file + install_and_trust_user_cert $certificate_file $userid $TEMP_NSS_DB + + #Revoke the cert + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local invalidity_time=$(($(date +%s%N)/1000000)) + + serial_number_in_decimal=$((${serial_number})) + serial_number_only=${serial_number:2:$serial_length} + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_011_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=doRevoke&submit=submit&serialNumber=$serial_number_only&$serial_number_only=on&revocationReason=0&revokeAll=%28%7C%28certRecordId%3D$serial_number_in_decimal%29%29&invalidityDate=$invalidity_time&day=$Day&month=$Month&year=$Year&totalRecordCount=1&verifiedRecordCount=1&templateType=RevocationSuccess&csrRequestorComments=revokecerttest\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/doRevoke\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_011_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=doRevoke&submit=submit&serialNumber=$serial_number_only&$serial_number_only=on&revocationReason=0&revokeAll=%28%7C%28certRecordId%3D$serial_number_in_decimal%29%29&invalidityDate=$invalidity_time&day=$Day&month=$Month&year=$Year&totalRecordCount=1&verifiedRecordCount=1&templateType=RevocationSuccess&csrRequestorComments=revokecerttest\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/ca_renew_self_sslclientcert_011_005_2.txt" 0 "Submit Certificate Rovoke request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_011_005.txt" + rlAssertGrep "revoked = \"yes\"" "$TmpDir/ca_renew_self_sslclientcert_011_005_2.txt" + + #Submit Renew certificate request + rlRun "export SSL_DIR=$TEMP_NSS_DB" + local renew_profile_id="caSSLClientSelfRenewal" + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_011_006.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_self_sslclientcert_011_006.txt \ + -E $userid:$TEMP_NSS_DB_PWD \ + -d \"profileId=$renew_profile_id&renewal=true\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_self_sslclientcert_011_006_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_self_sslclientcert_011_006.txt" + rlAssertGrep "Cannot renew a revoked certificate" "$TmpDir/ca_renew_self_sslclientcert_011_006_2.txt" + request_id=$(cat -v $TmpDir/ca_renew_self_sslclientcert_011_006_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Cleanup: + rlRun "export SSL_DIR=$CERTDB_DIR" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_self_sslclientcert_cleanup: Enable nonce and delete temporary directory" + rlLog "tomcat name=$tomcat_name" + enable_ca_nonce $tomcat_name + #Delete temporary directory + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +} diff --git a/tests/dogtag/acceptance/legacy/ca-tests/renewal/renew_manual.sh b/tests/dogtag/acceptance/legacy/ca-tests/renewal/renew_manual.sh new file mode 100644 index 000000000..c64fd0b85 --- /dev/null +++ b/tests/dogtag/acceptance/legacy/ca-tests/renewal/renew_manual.sh @@ -0,0 +1,3399 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/legacy-tests/ca-tests +# Description: PKI CA certificate renewal manually approved by agents tests +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# The following pki commands needs to be tested: +# /ca/ee/ca/ProfileSubmit with profile id caManualRenewal +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Asha Akkiangady +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/env.sh + +run_pki-legacy-ca-renew_manual_tests() +{ + local subsystemType=$1 + local csRole=$2 + + # Creating Temporary Directory for pki ca-renew-manual + rlPhaseStartSetup "pki ca renew manual Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "export SSL_DIR=$CERTDB_DIR" + #Forward the clock 40 days to test grace period + forward_system_clock 40 + rlPhaseEnd + + # Local Variables + get_topo_stack $csRole $TmpDir/topo_file + local CA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + local tomcat_name=$(eval echo \$${CA_INST}_TOMCAT_INSTANCE_NAME) + local ca_unsecure_port=$(eval echo \$${CA_INST}_UNSECURE_PORT) + local ca_secure_port=$(eval echo \$${CA_INST}_SECURE_PORT) + local ca_host=$(eval echo \$${csRole}) + local valid_agent_user=$CA_INST\_agentV + local valid_agent_user_password=$CA_INST\_agentV_password + local valid_admin_user=$CA_INST\_adminV + local valid_admin_user_password=$CA_INST\_adminV_password + local valid_audit_user=$CA_INST\_auditV + local valid_audit_user_password=$CA_INST\_auditV_password + local valid_operator_user=$CA_INST\_operatorV + local valid_operator_user_password=$CA_INST\_operatorV_password + local valid_agent_cert=$CA_INST\_agentV + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local ca_admin_user=$(eval echo \$${CA_INST}_ADMIN_USER) + local rand=$RANDOM + local tmp_junk_data=$(openssl rand -base64 50 | perl -p -e 's/\n//') + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local ca_db_suffix=$(eval echo \$${CA_INST}_DB_SUFFIX) + local ldap_conn_port=$(eval echo \$${CA_INST}_LDAP_PORT) + local ldap_rootdn=$(eval echo $LDAP_ROOTDN) + local ldap_rootdn_password=$(eval echo $LDAP_ROOTDNPWD) + disable_ca_nonce $tomcat_name + + rlPhaseStartTest "pki_ca_renew_manual-001: Renew a cert that expires with in the renew grace period - manually approved by a valid agent" + local userid="renm2" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_001_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_001_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_001_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_001_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_001_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_001_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_001_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_001_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_001_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_001_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_001_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_001_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_001_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_001_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_001_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_001_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_001_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_001_005_2.txt" 0 "Submit Certificate approve request" + lAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_001_005.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_001_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-002: Renew a cert that expired and with in the renew grace period - manually approved by a valid agent" + # Set System Clock 40 days older from today + reverse_system_clock 40 + + #user cert enrollment using profile + local userid="renm3" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_002_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_002_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_002_002_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_002_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_002_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #20 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+20 days' '+%Y') + local end_month=$(date -d '+20 days' '+%m') + local end_day=$(date -d '+20 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_002_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_002_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_002_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_002_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_002_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Set System Clock back to today + forward_system_clock 40 + + #Now the certificate is expired and in the renew grace period 30 days + #Renew certificate + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_001_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_001_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_001_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_001_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_001_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Verify requestid + if [ $request_id -le 0 ] ; then + rlFail "Request id not found." + fi + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_002_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_002_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_002_005_2.txt" 0 "Submit Certificate approve request" + lAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_002_005.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_002_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-003: Renew a cert that expires outside the renew grace period BZ1182353" + local userid="renm4" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_003_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_003_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_003_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_003_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_003_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #31 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+31 days' '+%Y') + local end_month=$(date -d '+31 days' '+%m') + local end_day=$(date -d '+31 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_003_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_003_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_003_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_003_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_003_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Renew cert + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_003_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_003_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_003_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_003_004.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_manual_003_004_2.txt" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-004: Renew a cert that expired and not with in the renew grace period BZ1182353" + #Set System Clock 40 days older from today + reverse_system_clock 40 + + #user cert enrollment using profile + local userid="renm5" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_004_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_004_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_004_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_004_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_004_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #6 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+6 days' '+%Y') + local end_month=$(date -d '+6 days' '+%m') + local end_day=$(date -d '+6 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_004_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_004_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_004_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_004_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_004_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Set System Clock back to today + forward_system_clock 40 + + #Now the certificate is expired and outside the renew grace period 30 days + #Renew certificate + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_004_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_004_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_004_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_004_004.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_manual_004_004_2.txt" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-005: Serial number provided for a renewal does not exist in the certificate system" + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_005_001.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=123456789\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_005_001.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=123456789\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_005_001_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_005_001.txt" + rlAssertGrep "errorReason=\"Record not found\"" "$TmpDir/ca_renew_manual_005_001_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-006: Renew a dual cert that expires in the renew grace period - manually approved by a valid agent" + local request_type=crmfdual + local request_key_type=rsa + local request_key_size=2048 + local profile=caDualCert + local userid="renm6" + local usercn="renm6User1" + local usermail="foo1@example.org" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:true \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $TmpDir/ca_admin_out_1 \ + -d \"cert_request_type=$request_type&enckeyParam=$request_key_size&signKeyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&sn_uid=$userid&sn_e=$useremail&sn_cn=$usercn&sn_ou3=&sn_ou2=&sn_ou1=&sn_ou=IDM&sn_o=RedHat&sn_c=US&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$ca_host:$ca_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $TmpDir/ca_admin_out_1 \ + -d \"cert_request_type=$request_type&enckeyParam=$request_key_size&signKeyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&sn_uid=$userid&sn_e=$useremail&sn_cn=$usercn&sn_ou3=&sn_ou2=&sn_ou1=&sn_ou=IDM&sn_o=RedHat&sn_c=US&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$ca_host:$ca_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_admin_out_1" + rlAssertNotGrep "Sorry, your request has been rejected" "$TmpDir/ca_admin_out_1" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + local request_id1=$(echo $request_id | cut -d " " -f1) + local request_id2=$(echo $request_id | cut -d " " -f2) + rlLog "request_id1=$request_id1" + rlLog "request_id2=$request_id2" + #approve request id 1 + rlLog "Approve $request_id1 using $valid_agent_cert" + # 10 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_006_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id1&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=false&keyUsageNonRepudiation=false&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_006_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id1&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=false&keyUsageNonRepudiation=false&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_006_005_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_006_005.txt" + local serial_number1=$(cat -v $TmpDir/ca_renew_manual_006_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number1=$serial_number1" + + #Verify length of the serial number + serial_length=${#serial_number1} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number1" + fi + + #Approve request_id2 + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_006_006.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id2&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_006_006.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id2&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_006_006_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_006_006.txt" + local serial_number2=$(cat -v $TmpDir/ca_renew_manual_006_006_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number2=$serial_number2" + + #Verify length of the serial number + serial_length=${#serial_number2} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number2" + fi + + #Renew serial_number1 + local renew_profile_id="caManualRenewal" + serial_number1_in_decimal=$((${serial_number1})) + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_006_007.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number1_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_006_007.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number1_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_006_007_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_006_007.txt" + request_id1=$(cat -v $TmpDir/ca_renew_manual_006_007_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid1=$request_id1" + + #Verify requestid + if [ $request_id1 -le 0 ] ; then + rlFail "Request id not found." + fi + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_006_008.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id1&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=false&keyUsageNonRepudiation=false&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_006_008.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id1&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=false&keyUsageNonRepudiation=false&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_006_008_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_006_008.txt" + local serial_number1=$(cat -v $TmpDir/ca_renew_manual_006_008_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number1" + + #Verify length of the serial number + serial_length=${#serial_number1} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number1" + fi + + + #Renew serial_number2 + local renew_profile_id="caManualRenewal" + serial_number2_in_decimal=$((${serial_number2})) + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_006_009.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number2_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_006_009.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number2_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_006_009_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_006_009.txt" + request_id2=$(cat -v $TmpDir/ca_renew_manual_006_009_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid2=$request_id2" + + #Verify requestid + if [ $request_id2 -le 0 ] ; then + rlFail "Request id not found." + fi + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_006_010.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id2&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_006_010.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id2&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_006_010_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_006_010.txt" + local serial_number2=$(cat -v $TmpDir/ca_renew_manual_006_010_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number2=$serial_number2" + + #Verify length of the serial number + serial_length=${#serial_number2} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number2" + fi + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-007: Renew a dual cert that is expired and is in the renew grace period - manually approved by a valid agent" + # Set System Clock 40 days older from today + reverse_system_clock 40 + + local request_type=crmfdual + local request_key_type=rsa + local request_key_size=2048 + local profile=caDualCert + local userid="renm7" + local usercn="renm7User1" + local usermail="renm7@example.org" + local test_out=ca-$profile-test1.txt + rlRun "export SSL_DIR=$CERTDB_DIR" + rlLog "Create a new certificate request of type $request_type with key size $request_key_size" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:\"$usercn\" \ + subject_uid:$userid \ + subject_email:$usermail \ + subject_ou:IDM \ + subject_organization:RedHat \ + subject_country:US \ + subject_archive:true \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" 0 "Create $request_type request for $profile" + + local cert_requestdn=$(cat $TEMP_NSS_DB/$rand-subject.out | grep Request_DN | cut -d ":" -f2) + rlLog "cert_requestdn=$cert_requestdn" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic --dump-header $TmpDir/ca_admin_out_1 \ + -d \"cert_request_type=$request_type&enckeyParam=$request_key_size&signKeyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&sn_uid=$userid&sn_e=$useremail&sn_cn=$usercn&sn_ou3=&sn_ou2=&sn_ou1=&sn_ou=IDM&sn_o=RedHat&sn_c=US&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput\" \ + -k https://$ca_host:$ca_secure_port/ca/eeca/ca/profileSubmitSSLClient" + + rlRun "curl --basic --dump-header $TmpDir/ca_admin_out_1 \ + -d \"cert_request_type=$request_type&enckeyParam=$request_key_size&signKeyParam=$request_key_size&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)&sn_uid=$userid&sn_e=$useremail&sn_cn=$usercn&sn_ou3=&sn_ou2=&sn_ou1=&sn_ou=IDM&sn_o=RedHat&sn_c=US&requestor_name=&requestor_email=&requestor_phone=&profileId=$profile&renewal=false&xmlOutput=false\" \ + -k https://$ca_host:$ca_secure_port/ca/eeca/ca/profileSubmitSSLClient > $TmpDir/$test_out" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_admin_out_1" + rlAssertNotGrep "Sorry, your request has been rejected" "$TmpDir/ca_admin_out_1" + local request_id=$(cat -v $TmpDir/$test_out | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + local request_id1=$(echo $request_id | cut -d " " -f1) + local request_id2=$(echo $request_id | cut -d " " -f2) + rlLog "request_id1=$request_id1" + rlLog "request_id2=$request_id2" + #approve request id 1 + rlLog "Approve $request_id1 using $valid_agent_cert" + # 10 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_007_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id1&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=false&keyUsageNonRepudiation=false&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_007_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id1&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=false&keyUsageNonRepudiation=false&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_007_005_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_007_005.txt" + local serial_number1=$(cat -v $TmpDir/ca_renew_manual_007_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number1=$serial_number1" + + #Verify length of the serial number + serial_length=${#serial_number1} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number1" + fi + + #Approve request_id2 + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_007_006.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id2&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_007_006.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id2&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_007_006_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_007_006.txt" + local serial_number2=$(cat -v $TmpDir/ca_renew_manual_007_006_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number2=$serial_number2" + + #Verify length of the serial number + serial_length=${#serial_number2} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number2" + fi + + #Set System Clock back to today + forward_system_clock 40 + + #Renew serial_number1 + local renew_profile_id="caManualRenewal" + serial_number1_in_decimal=$((${serial_number1})) + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_007_007.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number1_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_007_007.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number1_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_007_007_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_007_007.txt" + request_id1=$(cat -v $TmpDir/ca_renew_manual_007_007_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid1=$request_id1" + + #Verify requestid + if [ $request_id1 -le 0 ] ; then + rlFail "Request id not found." + fi + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_007_008.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id1&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=false&keyUsageNonRepudiation=false&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_007_008.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id1&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=false&keyUsageNonRepudiation=false&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_007_008_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_007_008.txt" + local serial_number1=$(cat -v $TmpDir/ca_renew_manual_007_008_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number1" + + #Verify length of the serial number + serial_length=${#serial_number1} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number1" + fi + + + #Renew serial_number2 + local renew_profile_id="caManualRenewal" + serial_number2_in_decimal=$((${serial_number2})) + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_007_009.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number2_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_007_009.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number2_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_007_009_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_007_009.txt" + request_id2=$(cat -v $TmpDir/ca_renew_manual_007_009_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid2=$request_id2" + + #Verify requestid + if [ $request_id2 -le 0 ] ; then + rlFail "Request id not found." + fi + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_007_010.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id2&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_007_010.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id2&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=false&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_007_010_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_007_010.txt" + local serial_number2=$(cat -v $TmpDir/ca_renew_manual_007_010_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number2=$serial_number2" + + #Verify length of the serial number + serial_length=${#serial_number2} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number2" + fi + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-008: Renew a directory user cert that is expired and is in the renew grace period - manually approved by a valid agent" + # Set System Clock 40 days older from today + reverse_system_clock 40 + + #Change caDirUserCert.cfg profile to have cert validity range to be 20 days + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caDirUserCert.cfg" + local search_string="policyset.userCertSet.2.default.params.range=180" + local replace_string="policyset.userCertSet.2.default.params.range=20" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + # setup uidpwddirauth + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_008_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=UserDirEnrollment&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_008_1.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=instance&RS_ID=UserDirEnrollment&implName=UidPwdDirAuth&RULENAME=UserDirEnrollment&ldap.ldapconn.host=$ca_host&dnpattern=UID=!attr.uid,OU=people,$ca_db_suffix&ldapStringAttributes=mail&ldap.ldapconn.version=3&ldap.ldapconn.port=$ldap_conn_port&ldap.maxConns=5&ldap.basedn=$ca_db_suffix&ldap.minConns=2&ldap.ldapconn.secureConn=false&ldapByteAttributes=mail\" \ + -k \"https://$ca_host:$ca_secure_port/ca/auths\" > $TmpDir/ca_renew_manual_008_2.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_008_1.txt" + + #Add ldap user + local rand=$RANDOM + local ldap_uid=renm8$rand + local ldap_user_password=renm8password + cat > $TmpDir/adduser1.ldif << adduser1.ldif_EOF + +version: 1 + + entry-id: 10 +dn: uid=$ldap_uid,ou=People,$ca_db_suffix +passwordGraceUserTime: 0 +modifiersName: cn=Directory manager +uidNumber: 1001 +gidNumber: 1001 +objectClass: top +objectClass: person +objectClass: posixAccount +uid: $ldap_uid +cn: Posix User1 +sn: User1 +homeDirectory: /home/$ldap_uid +loginshell: /bin/bash +userPassword: $ldap_user_password +adduser1.ldif_EOF + + rlRun "/usr/bin/ldapmodify -a -x -h $ca_host -p $ldap_conn_port -D \"$ldap_rootdn\" -w $ldap_rootdn_password -c -f $TmpDir/adduser1.ldif" 0 + + #userdir enrollment using profile + local profile_id="caDirUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$ldap_uid \ + subject_uid:$ldap_uid \ + subject_email: \ + subject_ou: \ + subject_organization: \ + subject_country: \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + + #userdir enrollment using profile + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_008_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_008_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&uid=$ldap_uid&pwd=$ldap_user_password&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_008_002_2.txt" 0 "Submit Certificate directory user enrollment request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_008_002.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_008_002_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + + #Set System Clock back to today + forward_system_clock 40 + + #Change caDirUserCert.cfg profile to have cert validity range default 180 days. + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #Renew cert + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_008_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_008_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_008_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_008_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_008_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Verify requestid + if [ $request_id -le 0 ] ; then + rlFail "Request id not found." + fi + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_008_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$ldap_uid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$ldap_uid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_008_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$ldap_uid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$ldap_uid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_008_005_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_008_005.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_008_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-009: Manually approved by agent -when agent rejects the request " + local userid="renm9" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_009_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_009_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_009_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_009_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_009_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_009_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_009_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_009_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_009_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_009_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_009_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_009_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_009_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_009_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_009_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_009_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=reject&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_009_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=reject&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_009_005_2.txt" 0 "Submit Certificate reject request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_009_005.txt" + rlAssertGrep "requestStatus=\"rejected\"" "$TmpDir/ca_renew_manual_009_005_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-010: Manually approved by agent -when agent cancel the request" + local userid="renm10" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_010_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_010_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_010_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_010_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_010_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_010_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_010_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_010_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_010_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_010_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_010_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_010_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_010_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_010_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_010_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_010_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=cancel&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_010_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=cancel&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_010_005_2.txt" 0 "Submit Certificate cancel request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_010_005.txt" + rlAssertGrep "requestStatus=\"canceled\"" "$TmpDir/ca_renew_manual_010_005_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-011: Manually approved by agent -when agent assign the request" + local userid="renm11" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_011_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_011_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_011_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_011_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_011_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_011_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_011_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_011_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_011_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_011_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_011_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_011_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_011_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_011_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_011_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_011_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=assign&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_011_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=assign&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_011_005_2.txt" 0 "Submit Certificate assign request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_011_005.txt" + rlAssertGrep "requestStatus=\"pending\"" "$TmpDir/ca_renew_manual_011_005_2.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_manual-012: Manually approved by agent -when agent unassign the request" + local userid="renm12" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_012_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_012_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_012_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_012_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_012_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_012_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_012_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_012_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_012_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_012_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_012_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_012_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_012_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_012_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_012_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_012_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=unassign&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_012_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=unassign&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_012_005_2.txt" 0 "Submit Certificate unassign request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_012_005.txt" + rlAssertGrep "requestStatus=\"pending\"" "$TmpDir/ca_renew_manual_012_005_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-013: Manually approved by agent -when agent validate the request" + local userid="renm13" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_013_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_013_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_013_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_013_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_013_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_013_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_013_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_013_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_013_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_013_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_013_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_013_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_013_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_013_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_013_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_013_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=validate&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_013_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=validate&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_013_005_2.txt" 0 "Submit Certificate validate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_013_005.txt" + rlAssertGrep "requestStatus=\"pending\"" "$TmpDir/ca_renew_manual_013_005_2.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_manual-014: Manually approved by agent -when agent update the request" + local userid="renm14" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_014_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_014_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_014_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_014_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_014_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_014_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_014_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_014_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_014_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_014_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_014_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_014_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_014_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_014_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_014_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_014_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=update&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_014_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=update&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_014_005_2.txt" 0 "Submit Certificate update request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_014_005.txt" + rlAssertGrep "requestStatus=\"pending\"" "$TmpDir/ca_renew_manual_014_005_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-015: Renew a cert when graceBefore value is a negative - manually approved by a valid agent" + #Change grace period graceBefore value to a negative number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=-10" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="renm15" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_015_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_015_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_015_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_015_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_015_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_015_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_015_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_015_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_015_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_015_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_015_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_015_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_015_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_015_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_015_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_015_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=update&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_015_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=update&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_015_005_2.txt" 0 "Submit Certificate update request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_015_005.txt" + rlAssertGrep "requestStatus=\"pending\"" "$TmpDir/ca_renew_manual_015_005_2.txt" + + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_manual-016: Renew a cert when graceBefore value is a smaller number - manually approved by a valid agent" + + #Change grace period graceBefore value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=1" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="renm16" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_016_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_016_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_016_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_016_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_016_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #1 day validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+1 day' '+%Y') + local end_month=$(date -d '+1 day' '+%m') + local end_day=$(date -d '+1 day' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_016_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_016_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_016_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_016_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_016_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_016_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_016_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_016_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_016_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_016_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_016_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_016_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_016_005_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_016_005.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_016_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_manual-017: Renew a cert when graceBefore value is a smaller number and cert is outside renew grace period BZ1182353" + + #Change grace period graceBefore value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=1" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="renm17" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_017_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_017_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_017_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_017_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_017_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_017_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_017_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_017_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_017_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_017_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_017_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_017_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_017_004_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_017_004.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_manual_017_004_2.txt" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_manual-018: Renew a cert when graceBefore value is a bigger number - manually approved by a valid agent" + + #Change grace period graceBefore value to a bigger number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=360" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="renm18" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_018_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_018_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_018_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_018_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_018_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #359 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+359 days' '+%Y') + local end_month=$(date -d '+359 days' '+%m') + local end_day=$(date -d '+359 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_018_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_018_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_018_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_018_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_018_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_018_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_018_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_018_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_018_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_018_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_018_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_018_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_018_005_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_018_005.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_018_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_manual-019: Renew a cert when graceBefore value is a bigger number and cert is outside renew grace period BZ1182353" + + #Change grace period graceBefore value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceBefore=360" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="renm19" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_019_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_019_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_019_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_019_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_019_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #362 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+362 days' '+%Y') + local end_month=$(date -d '+362 days' '+%m') + local end_day=$(date -d '+362 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_019_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_019_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_019_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_019_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_019_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_019_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_019_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_019_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_019_004.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_manual_019_004_2.txt" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + + #Change grace period graceBefore value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-020: Renew a cert when graceAfter value is a smaller number - manually approved by a valid agent" + + # Set System Clock 40 days older from today + reverse_system_clock 40 + + #Change grace period graceAfter value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceAfter=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceAfter=2" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="renm20" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_020_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_020_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_020_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_020_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_020_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #39 day validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+39 days' '+%Y') + local end_month=$(date -d '+39 days' '+%m') + local end_day=$(date -d '+39 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_020_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_020_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_020_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_020_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_020_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Set System Clock back to today + forward_system_clock 40 + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_020_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_020_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_020_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_020_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_020_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_020_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_020_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_020_005_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_020_005.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_020_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Change grace period graceAfter value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_manual-021: Renew a cert when graceAfter value is a smaller number and cert is expired before renew grace period BZ1182353" + # Set System Clock 40 days older from today + reverse_system_clock 40 + + #Change grace period graceAfter value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceAfter=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceAfter=1" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="renm21" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_021_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_021_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_021_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_021_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_021_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #38 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+38 days' '+%Y') + local end_month=$(date -d '+38 days' '+%m') + local end_day=$(date -d '+38 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_021_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_021_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_021_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_021_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_021_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Set System Clock back to today + forward_system_clock 40 + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_021_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_021_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_021_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_021_004.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_manual_021_004_2.txt" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + + #Change grace period graceAfter value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_manual-022: Renew a cert when graceAfter value is a bigger number - manually approved by a valid agent" + + # Set System Clock 40 days older from today + reverse_system_clock 40 + + #Change grace period graceAfter value to a bigger number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceAfter=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceAfter=360" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="renm22" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_022_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_022_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_022_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_022_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_022_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #1 day validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+1 day' '+%Y') + local end_month=$(date -d '+1 day' '+%m') + local end_day=$(date -d '+1 day' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_022_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_022_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_022_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_022_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_022_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Set System Clock back to today + forward_system_clock 40 + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_022_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_022_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_022_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_022_004.txt" + request_id=$(cat -v $TmpDir/ca_renew_manual_022_004_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Agent Approve renew request + #180 days validity for certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$(date -d '+180 days' '+%Y') + local end_month=$(date -d '+180 days' '+%m') + local end_day=$(date -d '+180 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_022_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_022_005.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_022_005_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_022_005.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_022_005_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Change grace period graceAfter value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-023: Renew a cert when graceAfter value is a bigger number, cert is expired and outside renew grace period BZ1182353" + # Set System Clock 40 days older from today + reverse_system_clock 40 + + #Change grace period graceAfter value to a smaller number + local profile_file="/var/lib/pki/$tomcat_name/ca/profiles/ca/caUserCert.cfg" + local search_string="policyset.userCertSet.10.constraint.params.renewal.graceAfter=30" + local replace_string="policyset.userCertSet.10.constraint.params.renewal.graceAfter=38" + replace_string_in_a_file $profile_file $search_string $replace_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + + #user cert request using profile + local userid="renm23" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=1024 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_023_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_023_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_023_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_023_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_023_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #1 day validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+1 day' '+%Y') + local end_month=$(date -d '+1 day' '+%m') + local end_day=$(date -d '+1 day' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_023_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_023_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_023_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_023_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_023_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Set System Clock back to today + forward_system_clock 40 + + serial_number_in_decimal=$((${serial_number})) + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_023_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_023_004.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_023_004_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_023_004.txt" + rlAssertGrep "Request Rejected - Outside of Renewal Grace Period" "$TmpDir/ca_renew_manual_023_004_2.txt" + rlLog "BZ1182353 - https://bugzilla.redhat.com/show_bug.cgi?id=1182353" + + #Change grace period graceAfter value to original value 30 + replace_string_in_a_file $profile_file $replace_string $search_string + if [ $? -eq 0 ] ; then + chown pkiuser:pkiuser $profile_file + rhcs_stop_instance $tomcat_name + rhcs_start_instance $tomcat_name + fi + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual-024: Renew a revoked cert that expires in renew grace period - manually approved by a valid agent" + local userid="renm24" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_024_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_024_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_024_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_024_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_024_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_024_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_024_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_024_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_024_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_024_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Revoke the cert + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local invalidity_time=$(($(date +%s%N)/1000000)) + + serial_number_in_decimal=$((${serial_number})) + serial_number_only=${serial_number:2:$serial_length} + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_024_004.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=doRevoke&submit=submit&serialNumber=$serial_number_only&$serial_number_only=on&revocationReason=0&revokeAll=%28%7C%28certRecordId%3D$serial_number_in_decimal%29%29&invalidityDate=$invalidity_time&day=$Day&month=$Month&year=$Year&totalRecordCount=1&verifiedRecordCount=1&templateType=RevocationSuccess&csrRequestorComments=revokecerttest\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/doRevoke\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_024_004.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=doRevoke&submit=submit&serialNumber=$serial_number_only&$serial_number_only=on&revocationReason=0&revokeAll=%28%7C%28certRecordId%3D$serial_number_in_decimal%29%29&invalidityDate=$invalidity_time&day=$Day&month=$Month&year=$Year&totalRecordCount=1&verifiedRecordCount=1&templateType=RevocationSuccess&csrRequestorComments=revokecerttest\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/ca_renew_manual_024_004_2.txt" 0 "Submit Certificate Rovoke request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_024_004.txt" + rlAssertGrep "revoked = \"yes\"" "$TmpDir/ca_renew_manual_024_004_2.txt" + + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_024_005.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_024_005.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_024_005_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_024_005.txt" + rlAssertGrep "Cannot renew a revoked certificate" "$TmpDir/ca_renew_manual_024_005_2.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_renew_manual-025: Renew a expired revoked cert that is in renew grace period - manually approved by a valid agent" + # Set System Clock 40 days older from today + reverse_system_clock 40 + + #User cert request using profile + local userid="renm25" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_025_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_025_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_025_002_2.txt" 0 "Submit Certificate request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_025_002.txt" + local request_id=$(cat -v $TmpDir/ca_renew_manual_025_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + + #Approve certificate request + #10 days validity for the certs + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + local end_year=$(date -d '+10 days' '+%Y') + local end_month=$(date -d '+10 days' '+%m') + local end_day=$(date -d '+10 days' '+%d') + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$end_month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_025_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_025_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/ca_renew_manual_025_003_2.txt" 0 "Submit Certificate approve request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_025_003.txt" + local serial_number=$(cat -v $TmpDir/ca_renew_manual_025_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + + #Verify length of the serial number + serial_length=${#serial_number} + if [ $serial_length -le 0 ] ; then + rlFail "Certificate Serial Number is invalid : $serial_number" + fi + + #Revoke the cert + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local invalidity_time=$(($(date +%s%N)/1000000)) + serial_number_in_decimal=$((${serial_number})) + serial_number_only=${serial_number:2:$serial_length} + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_025_004.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=doRevoke&submit=submit&serialNumber=$serial_number_only&$serial_number_only=on&revocationReason=0&revokeAll=%28%7C%28certRecordId%3D$serial_number_in_decimal%29%29&invalidityDate=$invalidity_time&day=$Day&month=$Month&year=$Year&totalRecordCount=1&verifiedRecordCount=1&templateType=RevocationSuccess&csrRequestorComments=revokecerttest\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/doRevoke\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/ca_renew_manual_025_004.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"op=doRevoke&submit=submit&serialNumber=$serial_number_only&$serial_number_only=on&revocationReason=0&revokeAll=%28%7C%28certRecordId%3D$serial_number_in_decimal%29%29&invalidityDate=$invalidity_time&day=$Day&month=$Month&year=$Year&totalRecordCount=1&verifiedRecordCount=1&templateType=RevocationSuccess&csrRequestorComments=revokecerttest\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/doRevoke\" > $TmpDir/ca_renew_manual_025_004_2.txt" 0 "Submit Certificate Revoke request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_025_004.txt" + rlAssertGrep "revoked = \"yes\"" "$TmpDir/ca_renew_manual_025_004_2.txt" + + #Set System Clock back to today + forward_system_clock 40 + + #Submit Renew certificate request + local renew_profile_id="caManualRenewal" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_025_005.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_renew_manual_025_005.txt \ + -d \"profileId=$renew_profile_id&renewal=true&serial_num=$serial_number_in_decimal\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/ca_renew_manual_025_005_2.txt" 0 "Submit Certificate renew request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_renew_manual_025_005.txt" + rlAssertGrep "Cannot renew a revoked certificate" "$TmpDir/ca_renew_manual_025_005_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_renew_manual_cleanup: Enable nonce and delete temporary directory" + #set system clock 40 days older, backto today's datetime + reverse_system_clock 40 + rlLog "tomcat name=$tomcat_name" + enable_ca_nonce $tomcat_name + #Delete temporary directory + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +} diff --git a/tests/dogtag/acceptance/legacy/ca-tests/usergroups/pki-ca-usergroups.sh b/tests/dogtag/acceptance/legacy/ca-tests/usergroups/pki-ca-usergroups.sh index 314f24d1c..4d2a3395b 100644 --- a/tests/dogtag/acceptance/legacy/ca-tests/usergroups/pki-ca-usergroups.sh +++ b/tests/dogtag/acceptance/legacy/ca-tests/usergroups/pki-ca-usergroups.sh @@ -2,7 +2,7 @@ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # -# runtest.sh of /CoreOS/rhcs/acceptance/legacy-tests/ca-tests +# runtest.sh of /CoreOS/rhcs/acceptance/legacy-tests/ca-tests/usergroups # Description: PKI CA user and group tests # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # The following pki commands needs to be tested: @@ -39,23 +39,20 @@ run_pki-legacy-ca-usergroup_tests() { - local subsystemId=$1 - local subsystemType=$2 - local csRole=$3 - local tomcat_name=$(eval echo \$${subsystemId}_TOMCAT_INSTANCE_NAME) + local subsystemType=$1 + local csRole=$2 # Creating Temporary Directory for pki ca-usergroup - rlPhaseStartSetup "pki ca usergroup Temporary Directory and disable nonce" + rlPhaseStartSetup "pki ca usergroup Temporary Directory" rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" rlRun "pushd $TmpDir" - rlLog "tomcat name=$tomcat_name" - disable_ca_nonce $tomcat_name rlRun "export SSL_DIR=$CERTDB_DIR" rlPhaseEnd # Local Variables get_topo_stack $csRole $TmpDir/topo_file local CA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + local tomcat_name=$(eval echo \$${CA_INST}_TOMCAT_INSTANCE_NAME) local ca_unsecure_port=$(eval echo \$${CA_INST}_UNSECURE_PORT) local ca_secure_port=$(eval echo \$${CA_INST}_SECURE_PORT) local ca_host=$(eval echo \$${csRole}) @@ -70,11 +67,12 @@ run_pki-legacy-ca-usergroup_tests() local valid_agent_cert=$CA_INST\_agentV local TEMP_NSS_DB="$TmpDir/nssdb" local TEMP_NSS_DB_PWD="redhat" - local ca_admin_user=$(eval echo \$${subsystemId}_ADMIN_USER) + local ca_admin_user=$(eval echo \$${CA_INST}_ADMIN_USER) local rand=$RANDOM local tmp_junk_data=$(openssl rand -base64 50 | perl -p -e 's/\n//') local TEMP_NSS_DB="$TmpDir/nssdb" local TEMP_NSS_DB_PWD="redhat" + disable_ca_nonce $tomcat_name rlPhaseStartTest "pki_ca_usergroup-001: Valid CA admin add users" local userid="ug02" @@ -355,7 +353,7 @@ run_pki-legacy-ca-usergroup_tests() rlAssertGrep "Trusted Managers" "$TmpDir/ca_usergroup_007_3.txt" rlPhaseEnd - rlPhaseStartTest "pki_ca_usergroup-008: Valid CA admin list groups" + rlPhaseStartTest "pki_ca_usergroup-008: Valid CA admin add a user to the group" local userid="ug08" local fullname=$userid local password=password$userid @@ -514,8 +512,303 @@ run_pki-legacy-ca-usergroup_tests() rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_010_003.txt" rlPhaseEnd + rlPhaseStartTest "pki_ca_usergroup-011: Valid CA agent cannot add new user" + local userid="ug11" + local fullname=$userid + local password="password$userid" + local email="$userid@redhat.com" + local phone="12345" + local state="CA" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_011.txt \ + -u $valid_agent_user:$valid_agent_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_011.txt \ + -u $valid_agent_user:$valid_agent_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_011_2.txt" 0 "Add user $userid to $CA_INST using a agent user" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_011.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/ca_usergroup_011_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_usergroup-012: CA Audit user cannot add new user" + local userid="ug12" + local fullname=$userid + local password="password$userid" + local email="$userid@redhat.com" + local phone="12345" + local state="CA" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_012.txt \ + -u $valid_audit_user:$valid_audit_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_012.txt \ + -u $valid_audit_user:$valid_audit_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_012_2.txt" 0 "Add user $userid to $CA_INST using a audit user" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_012.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/ca_usergroup_012_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_usergroup-013: CA Operator user cannot add new user" + local userid="ug13" + local fullname=$userid + local password="password$userid" + local email="$userid@redhat.com" + local phone="12345" + local state="CA" + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_013.txt \ + -u $valid_operator_user:$valid_operator_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_013.txt \ + -u $valid_operator_user:$valid_operator_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_013_2.txt" 0 "Add user $userid to $CA_INST using a operator user" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_013.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/ca_usergroup_013_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_usergroup-014: CA audit user cannot add new group" + local groupid="group14" + local groupdesc="group14_desc" + #Add group + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_014.txt \ + -u $valid_audit_user:$valid_audit_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_014.txt \ + -u $valid_audit_user:$valid_audit_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_014_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_014.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/ca_usergroup_014_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_usergroup-015: CA agent user cannot add new group" + local groupid="group15" + local groupdesc="group15_desc" + #Add group + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_015.txt \ + -u $valid_agent_user:$valid_agent_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_015.txt \ + -u $valid_agent_user:$valid_agent_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_015_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_015.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/ca_usergroup_015_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_usergroup-016: CA operator user cannot add new group" + local groupid="group16" + local groupdesc="group16_desc" + #Add group + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_016.txt \ + -u $valid_operator_user:$valid_operator_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_016.txt \ + -u $valid_operator_user:$valid_operator_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_016_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_016.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/ca_usergroup_016_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_usergroup-017: CA agent user cannot delete existing group" + local groupid="group17" + local groupdesc="group17_desc" + #Add group + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_017.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_017.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_017_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_017.txt" + rlAssertNotGrep "Failed to add group" "$TmpDir/ca_usergroup_017_2.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_017_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_017_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_017_002_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_017_002.txt" + rlRun "cat $TmpDir/ca_usergroup_017_002_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/ca_usergroup_017_002_3.txt" + rlAssertGrep "$groupid" "$TmpDir/ca_usergroup_017_002_3.txt" + #Delete group using agent + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_017_003.txt \ + -u $valid_agent_user:$valid_agent_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_017_003.txt \ + -u $valid_agent_user:$valid_agent_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_017_003_2.txt" 0 "Delete group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_017_003.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/ca_usergroup_017_003_2.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_017_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_017_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_017_004_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_017_004.txt" + rlRun "cat $TmpDir/ca_usergroup_017_004_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/ca_usergroup_017_004_3.txt" + rlAssertGrep "$groupid" "$TmpDir/ca_usergroup_017_004_3.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_ca_usergroup-018: CA Audit user cannot delete existing group" + local groupid="group18" + local groupdesc="group18_desc" + #Add group + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_018.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_018.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_018_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_018.txt" + rlAssertNotGrep "Failed to add group" "$TmpDir/ca_usergroup_018_2.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_018_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_018_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_018_002_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_018_002.txt" + rlRun "cat $TmpDir/ca_usergroup_018_002_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/ca_usergroup_018_002_3.txt" + rlAssertGrep "$groupid" "$TmpDir/ca_usergroup_018_002_3.txt" + #Delete group using auditor + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_018_003.txt \ + -u $valid_audit_user:$valid_audit_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_018_003.txt \ + -u $valid_audit_user:$valid_audit_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_018_003_2.txt" 0 "Delete group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_018_003.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/ca_usergroup_018_003_2.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_018_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_018_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_018_004_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_018_004.txt" + rlRun "cat $TmpDir/ca_usergroup_018_004_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/ca_usergroup_018_004_3.txt" + rlAssertGrep "$groupid" "$TmpDir/ca_usergroup_018_004_3.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_ca_usergroup-019: CA Operator user cannot delete existing group" + local groupid="group19" + local groupdesc="group19_desc" + #Add group + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_019.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_019.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_019_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_019.txt" + rlAssertNotGrep "Failed to add group" "$TmpDir/ca_usergroup_019_2.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_019_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_019_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_019_002_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_019_002.txt" + rlRun "cat $TmpDir/ca_usergroup_019_002_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/ca_usergroup_019_002_3.txt" + rlAssertGrep "$groupid" "$TmpDir/ca_usergroup_019_002_3.txt" + #Delete group using operator + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_019_003.txt \ + -u $valid_operator_user:$valid_operator_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_019_003.txt \ + -u $valid_operator_user:$valid_operator_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_019_003_2.txt" 0 "Delete group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_019_003.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/ca_usergroup_019_003_2.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/ca_usergroup_019_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/ca_usergroup_019_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_019_004_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/ca_usergroup_019_004.txt" + rlRun "cat $TmpDir/ca_usergroup_019_004_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/ca_usergroup_019_004_3.txt" + rlAssertGrep "$groupid" "$TmpDir/ca_usergroup_019_004_3.txt" + rlPhaseEnd + rlPhaseStartTest "pki_ca_usergroup_cleanup: Deleting users and groups" - local group=("group01" "group10") + local group=("group01" "group10" "group17" "group18" "group19") i=0 while [ $i -lt ${#group[@]} ] ; do groupid=${group[$i]} @@ -524,7 +817,6 @@ run_pki-legacy-ca-usergroup_tests() -u $valid_admin_user:$valid_admin_user_password \ -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_group_cleanup_$i_2.txt" 0 "Delete group $groupid" - rlAssertNotGrep "Failed to add group" "$TmpDir/ca_usergroup_009_2.txt" let i=$i+1 done @@ -539,7 +831,9 @@ run_pki-legacy-ca-usergroup_tests() -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_usergroup_cleanup_$i_2.txt" 0 "Delete user $userid" let i=$i+1 done - - enable_ca_nonce $tomcat_name + enable_ca_nonce $tomcat_name + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing temp directory" rlPhaseEnd } + diff --git a/tests/dogtag/acceptance/legacy/subca-tests/usergroups/subca-usergroups.sh b/tests/dogtag/acceptance/legacy/subca-tests/usergroups/subca-usergroups.sh new file mode 100644 index 000000000..441dc0d60 --- /dev/null +++ b/tests/dogtag/acceptance/legacy/subca-tests/usergroups/subca-usergroups.sh @@ -0,0 +1,842 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/rhcs/acceptance/legacy-tests/subca-tests/usergroups +# Description: Subordinate CA user and group tests +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# The following pki commands needs to be tested: +# Subordinate CA /ca/ug +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Author: Asha Akkiangady +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh +. /opt/rhqa_pki/rhcs-shared.sh +. /opt/rhqa_pki/env.sh + +run_pki-legacy-subca-usergroup_tests() +{ + local subsystemType=$1 + local csRole=$2 + + # Creating Temporary Directory for pki ca-usergroup + rlPhaseStartSetup "pki ca usergroup Temporary Directory" + rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "export SSL_DIR=$CERTDB_DIR" + rlPhaseEnd + + # Local Variables + get_topo_stack $csRole $TmpDir/topo_file + if [ $cs_Role="MASTER" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_SUBCA | cut -d= -f2) + elif [ $cs_Role="SUBCA2" || $cs_Role="SUBCA1" ]; then + SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2) + fi + local tomcat_name=$(eval echo \$${SUBCA_INST}_TOMCAT_INSTANCE_NAME) + local ca_unsecure_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT) + local ca_secure_port=$(eval echo \$${SUBCA_INST}_SECURE_PORT) + local ca_host=$(eval echo \$${csRole}) + local valid_agent_user=$SUBCA_INST\_agentV + local valid_agent_user_password=$SUBCA_INST\_agentV_password + local valid_admin_user=$SUBCA_INST\_adminV + local valid_admin_user_password=$SUBCA_INST\_adminV_password + local valid_audit_user=$SUBCA_INST\_auditV + local valid_audit_user_password=$SUBCA_INST\_auditV_password + local valid_operator_user=$SUBCA_INST\_operatorV + local valid_operator_user_password=$SUBCA_INST\_operatorV_password + local valid_agent_cert=$SUBCA_INST\_agentV + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + local ca_admin_user=$(eval echo \$${SUBCA_INST}_ADMIN_USER) + local rand=$RANDOM + local tmp_junk_data=$(openssl rand -base64 50 | perl -p -e 's/\n//') + local TEMP_NSS_DB="$TmpDir/nssdb" + local TEMP_NSS_DB_PWD="redhat" + disable_ca_nonce $tomcat_name + + rlPhaseStartTest "pki_subca_usergroup-001: Valid SUBCA admin add users" + local userid="ug02" + local fullname=$userid + local password="password$userid" + local email="$userid@redhat.com" + local phone="12345" + local state="CA" + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_001.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_001.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_001_2.txt" 0 "Add user $userid to $CA_INST" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_001.txt" + rlAssertNotGrep "Fail" "$TmpDir/subca_usergroup_001_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-002: Valid CA admin list users" + local userid="ug02" + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=users\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=users\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_002_2.txt" 0 "List all CA user in $CA_INST" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_002.txt" + rlAssertGrep "$userid" "$TmpDir/subca_usergroup_002_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-003: Valid CA admin edit users" + local userid="ug04" + local fullname=$userid + local password=password$userid + local email="$userid@redhat.com" + local phone="1234" + local state="CA" + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_003.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_003.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_003_2.txt" 0 "Add user $userid to $CA_INST" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_003.txt" + #Now edit user - phone number change + phone="4567" + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_003_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_MODIFY&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_003_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_MODIFY&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_003_002_2.txt" 0 "Modify user $userid to have a new phone number $phone" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_003_002.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-004: Valid CA admin delete users" + local userid="ug05" + local fullname=$userid + local password="password$userid" + local email="$userid@redhat.com" + local phone="1234" + local state="CA" + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_004_2.txt" 0 "Add user $userid to $CA_INST" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_004.txt" + rlAssertNotGrep "Failed to add user" "$TmpDir/subca_usergroup_004_2.txt" + #Now delete user + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_004_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=users&RS_ID=$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_004_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=users&RS_ID=$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_004_002_2.txt" 0 "Delete user $userid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_004_002.txt" + #Verify user is deleted + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_004_003.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=users\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_004_003.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=users\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_004_003_2.txt" 0 "List all CA user in $CA_INST" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_004_003.txt" + rlAssertNotGrep "$userid" "$TmpDir/subca_usergroup_004_003_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-005: Valid CA admin view certs of users" + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=certs&RS_ID=$valid_admin_user\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=certs&RS_ID=$valid_admin_user\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_05_2.txt" 0 "View user $valid_admin_user certificate" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_005.txt" + rlRun "cat $TmpDir/subca_usergroup_05_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/subca_usergroup_05_3.txt" + rlAssertGrep "BEGIN CERTIFICATE" "$TmpDir/subca_usergroup_05_3.txt" + rlAssertGrep "END CERTIFICATE" "$TmpDir/subca_usergroup_05_3.txt" + #view certificate of ca admin user + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_005_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=certs&RS_ID=$ca_admin_user\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_005_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=certs&RS_ID=$ca_admin_user\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_005_002_2.txt" 0 "View user $ca_admin_user certificate" + rlRun "cat $TmpDir/subca_usergroup_005_002_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/subca_usergroup_005_002_3.txt" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_005_002.txt" + rlAssertGrep "BEGIN CERTIFICATE" "$TmpDir/subca_usergroup_005_002_3.txt" + rlAssertGrep "END CERTIFICATE" "$TmpDir/subca_usergroup_005_002_3.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-006: Valid CA admin import certs into users" + local userid="ug06" + local fullname=$userid + local password=password$userid + local email="$userid@mail_domain.com" + local phone="1234" + local state="CA" + #Add a user + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_006.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=Administrators&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_006.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=Administrators&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_006_2.txt" 0 "Add user $userid to $CA_INST" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_006.txt" + rlAssertNotGrep "Failed to add user" "$TmpDir/subca_usergroup_006_2.txt" + #Create a certificate request + local profile_id="caUserCert" + local request_type="crmf" + local request_key_size=2048 + local request_key_type="rsa" + + rlRun "create_new_cert_request \ + tmp_nss_db:$TEMP_NSS_DB \ + tmp_nss_db_password:$TEMP_NSS_DB_PWD \ + request_type:$request_type \ + request_algo:$request_key_type \ + request_size:$request_key_size \ + subject_cn:$userid \ + subject_uid:$userid \ + subject_email:$email \ + subject_ou:IDM \ + subject_organization:Redhat \ + subject_country:US \ + subject_archive:false \ + cert_request_file:$TEMP_NSS_DB/$rand-request.pem \ + cert_subject_file:$TEMP_NSS_DB/$rand-subject.out" + rlRun "cat $TEMP_NSS_DB/$rand-request.pem | python -c 'import sys, urllib as ul; print ul.quote(sys.stdin.read());' > $TEMP_NSS_DB/$rand-encoded-request.pem" + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_006_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_006_002.txt \ + -d \"profileId=$profile_id&cert_request_type=$request_type&sn_uid=$userid&sn_cn=$userid&sn_e=$userid&sn_ou=IDM&sn_o=Redhat&sn_C=US&requestor_email=$email&requestor_phone=$phone&cert_request=$(cat -v $TEMP_NSS_DB/$rand-encoded-request.pem)\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ee/ca/profileSubmit\" > $TmpDir/subca_usergroup_006_002_2.txt" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_006_002.txt" + local request_id=$(cat -v $TmpDir/subca_usergroup_006_002_2.txt | grep 'requestList.requestId' | awk -F '=\"' '{print $2}' | awk -F '\";' '{print $1}') + rlLog "requestid=$request_id" + #Approve certificate request + local Second=`date +'%S' -d now` + local Minute=`date +'%M' -d now` + local Hour=`date +'%H' -d now` + local Day=`date +'%d' -d now` + local Month=`date +'%m' -d now` + local Year=`date +'%Y' -d now` + local start_year=$Year + let end_year=$Year+1 + local end_day="1" + local notBefore="$start_year-$Month-$Day $Hour:$Minute:$Second" + local notAfter="$end_year-$Month-$end_day $Hour:$Minute:$Second" + local cert_ext_exKeyUsageOIDs="1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4" + local cert_ext_subjAltNames="RFC822Name: " + rlLog "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/subca_usergroup_006_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\"" + rlRun "curl --cacert $CERTDB_DIR/ca_cert.pem \ + --dump-header $TmpDir/subca_usergroup_006_003.txt \ + -E $valid_agent_cert:$CERTDB_DIR_PASSWORD \ + -d \"requestId=$request_id&op=approve&submit=submit&name=UID=$userid¬Before=$notBefore¬After=$notAfter&authInfoAccessCritical=false&authInfoAccessGeneralNames=&keyUsageCritical=true&keyUsageDigitalSignature=true&keyUsageNonRepudiation=true&keyUsageKeyEncipherment=true&keyUsageDataEncipherment=false&keyUsageKeyAgreement=false&keyUsageKeyCertSign=false&keyUsageCrlSign=false&keyUsageEncipherOnly=false&keyUsageDecipherOnly=false&exKeyUsageCritical=false&exKeyUsageOIDs=$cert_ext_exKeyUsageOIDs&&subjAltNameExtCritical=false&subjAltNames=$cert_ext_subjAltNames&signingAlg=SHA1withRSA&requestNotes=submittingcertfor$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/agent/ca/profileProcess\" > $TmpDir/subca_usergroup_006_003_2.txt" 0 "Submit Certificare request" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_006_003.txt" + local serial_number=$(cat -v $TmpDir/subca_usergroup_006_003_2.txt | tr '\\n' '\n' | grep 'Serial Number' | awk -F 'Serial Number: ' '{print $2}') + rlLog "serial_number=$serial_number" + local certificate_in_base64=$(cat -v $TmpDir/subca_usergroup_006_003_2.txt | grep 'outputList.outputVal' | awk -F 'outputList.outputVal=\"' '{print $2}' | awk -F '-----BEGIN CERTIFICATE-----' '{print $2}' | sed '/^$/d' | sed 's/^\\n//'|sed -e 's/^/-----BEGIN CERTIFICATE-----/' | sed 's/-----END CERTIFICATE-----\\n\";/-----END CERTIFICATE-----/' | sed 's/\\r\\n//g') + rlLog "CERTIFICATE_IN_BASE64=$certificate_in_base64" + #Add certificate to user + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_006_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + --data \"OP_TYPE=OP_ADD&OP_SCOPE=certs&RS_ID=$userid\" \ + --data-urlencode \"cert=$certificate_in_base64\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_006_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + --data \"OP_TYPE=OP_ADD&OP_SCOPE=certs&RS_ID=$userid\" \ + --data-urlencode \"cert=$certificate_in_base64\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_006_004_2.txt" 0 "Add certificate serial_number $serial_number to $userid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_006_004.txt" + #Make sure certificate got added to user + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_006_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=certs&RS_ID=$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_006_005.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_READ&OP_SCOPE=certs&RS_ID=$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_006_005_2.txt" 0 "Read certificate of $userid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_006_005.txt" + rlRun "cat $TmpDir/subca_usergroup_006_005_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/subca_usergroup_006_005_3.txt" + rlAssertGrep "-----BEGIN CERTIFICATE-----" "$TmpDir/subca_usergroup_006_005_3.txt" + rlAssertGrep "-----END CERTIFICATE-----" "$TmpDir/subca_usergroup_006_005_3.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-007: Valid CA admin list groups" + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_007.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_007.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_007_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_007.txt" + rlRun "cat $TmpDir/subca_usergroup_007_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/subca_usergroup_007_3.txt" + rlAssertGrep "Administrators" "$TmpDir/subca_usergroup_007_3.txt" + rlAssertGrep "Certificate Manager Agents" "$TmpDir/subca_usergroup_007_3.txt" + rlAssertGrep "Trusted Managers" "$TmpDir/subca_usergroup_007_3.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-008: Valid CA admin add a user to the group" + local userid="ug08" + local fullname=$userid + local password=password$userid + local email="$userid@redhat.com" + local phone="1234" + local state="CA" + local groupid="group01" + local groupdesc="group01_desc" + #Add user + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_008.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_008.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_008_2.txt" 0 "Add user $userid to $CA_INST" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_008.txt" + rlAssertNotGrep "Failed to add user" "$TmpDir/subca_usergroup_008_2.txt" + #Add user to group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_008_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_008_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_008_002_2.txt" 0 "Add group $groupid" + + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_008_002.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_008_003.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_008_003.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_008_003_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_008_003.txt" + rlRun "cat $TmpDir/subca_usergroup_008_003_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/subca_usergroup_008_003_3.txt" + rlAssertGrep "$groupid" "$TmpDir/subca_usergroup_008_003_3.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-009: Valid CA admin delete group" + local groupid="group09" + local groupdesc="group09_desc" + #Add group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_009.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_009.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_009_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_009.txt" + rlAssertNotGrep "Failed to add group" "$TmpDir/subca_usergroup_009_2.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_009_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_009_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_009_002_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_009_002.txt" + rlRun "cat $TmpDir/subca_usergroup_009_002_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/subca_usergroup_009_002_3.txt" + rlAssertGrep "$groupid" "$TmpDir/subca_usergroup_009_002_3.txt" + #Delete group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_009_003.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_009_003.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_009_003_2.txt" 0 "Delete group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_009_003.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_009_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_009_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_009_004_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_009_004.txt" + rlRun "cat $TmpDir/subca_usergroup_009_004_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/subca_usergroup_009_004_3.txt" + rlAssertNotGrep "$groupid" "$TmpDir/subca_usergroup_009_004_3.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-010: Valid CA admin edit groups" + local userid="ug10" + local fullname=$userid + local password=password$userid + local email="$userid@redhat.com" + local phone="1234" + local state="CA" + local groupid="group10" + local groupdesc="group10_desc" + #Add user + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_010.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_010.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_010_2.txt" 0 "Add user $userid to $CA_INST" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_010.txt" + rlAssertNotGrep "Failed to add user" "$TmpDir/subca_usergroup_010_2.txt" + #Add user to group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_010_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_010_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_010_002_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_010_002.txt" + rlAssertNotGrep "Failed to add group" "$TmpDir/subca_usergroup_010_002_2.txt" + #Edit group - change description + local groupdesc2="group10_desc_changed" + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_010_003.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_MODIFY&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc2&user=$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_010_003.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_MODIFY&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc2&user=$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_010_003_2.txt" 0 "Edit $groupid change desc $groupdesc2" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_010_003.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-011: Valid CA agent cannot add new user" + local userid="ug11" + local fullname=$userid + local password="password$userid" + local email="$userid@redhat.com" + local phone="12345" + local state="CA" + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_011.txt \ + -u $valid_agent_user:$valid_agent_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_011.txt \ + -u $valid_agent_user:$valid_agent_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_011_2.txt" 0 "Add user $userid to $CA_INST using a agent user" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_011.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/subca_usergroup_011_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-012: CA Audit user cannot add new user" + local userid="ug12" + local fullname=$userid + local password="password$userid" + local email="$userid@redhat.com" + local phone="12345" + local state="CA" + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_012.txt \ + -u $valid_audit_user:$valid_audit_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_012.txt \ + -u $valid_audit_user:$valid_audit_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_012_2.txt" 0 "Add user $userid to $CA_INST using a audit user" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_012.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/subca_usergroup_012_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-013: CA Operator user cannot add new user" + local userid="ug13" + local fullname=$userid + local password="password$userid" + local email="$userid@redhat.com" + local phone="12345" + local state="CA" + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_013.txt \ + -u $valid_operator_user:$valid_operator_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_013.txt \ + -u $valid_operator_user:$valid_operator_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=users&RS_ID=$userid&fullname=$fullname&password=$password&email=$email&phone=$phone&state=$state&groups=&userType=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_013_2.txt" 0 "Add user $userid to $CA_INST using a operator user" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_013.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/subca_usergroup_013_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-014: CA audit user cannot add new group" + local groupid="group14" + local groupdesc="group14_desc" + #Add group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_014.txt \ + -u $valid_audit_user:$valid_audit_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_014.txt \ + -u $valid_audit_user:$valid_audit_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_014_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_014.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/subca_usergroup_014_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-015: CA agent user cannot add new group" + local groupid="group15" + local groupdesc="group15_desc" + #Add group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_015.txt \ + -u $valid_agent_user:$valid_agent_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_015.txt \ + -u $valid_agent_user:$valid_agent_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_015_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_015.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/subca_usergroup_015_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-016: CA operator user cannot add new group" + local groupid="group16" + local groupdesc="group16_desc" + #Add group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_016.txt \ + -u $valid_operator_user:$valid_operator_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_016.txt \ + -u $valid_operator_user:$valid_operator_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_016_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_016.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/subca_usergroup_016_2.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-017: CA agent user cannot delete existing group" + local groupid="group17" + local groupdesc="group17_desc" + #Add group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_017.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_017.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_017_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_017.txt" + rlAssertNotGrep "Failed to add group" "$TmpDir/subca_usergroup_017_2.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_017_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_017_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_017_002_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_017_002.txt" + rlRun "cat $TmpDir/subca_usergroup_017_002_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/subca_usergroup_017_002_3.txt" + rlAssertGrep "$groupid" "$TmpDir/subca_usergroup_017_002_3.txt" + #Delete group using agent + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_017_003.txt \ + -u $valid_agent_user:$valid_agent_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_017_003.txt \ + -u $valid_agent_user:$valid_agent_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_017_003_2.txt" 0 "Delete group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_017_003.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/subca_usergroup_017_003_2.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_017_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_017_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_017_004_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_017_004.txt" + rlRun "cat $TmpDir/subca_usergroup_017_004_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/subca_usergroup_017_004_3.txt" + rlAssertGrep "$groupid" "$TmpDir/subca_usergroup_017_004_3.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup-018: CA Audit user cannot delete existing group" + local groupid="group18" + local groupdesc="group18_desc" + #Add group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_018.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_018.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_018_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_018.txt" + rlAssertNotGrep "Failed to add group" "$TmpDir/subca_usergroup_018_2.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_018_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_018_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_018_002_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_018_002.txt" + rlRun "cat $TmpDir/subca_usergroup_018_002_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/subca_usergroup_018_002_3.txt" + rlAssertGrep "$groupid" "$TmpDir/subca_usergroup_018_002_3.txt" + #Delete group using auditor + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_018_003.txt \ + -u $valid_audit_user:$valid_audit_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_018_003.txt \ + -u $valid_audit_user:$valid_audit_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_018_003_2.txt" 0 "Delete group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_018_003.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/subca_usergroup_018_003_2.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_018_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_018_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_018_004_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_018_004.txt" + rlRun "cat $TmpDir/subca_usergroup_018_004_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/subca_usergroup_018_004_3.txt" + rlAssertGrep "$groupid" "$TmpDir/subca_usergroup_018_004_3.txt" + rlPhaseEnd + + + rlPhaseStartTest "pki_subca_usergroup-019: CA Operator user cannot delete existing group" + local groupid="group19" + local groupdesc="group19_desc" + #Add group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_019.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_019.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_ADD&OP_SCOPE=groups&RS_ID=$groupid&desc=$groupdesc&user=\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_019_2.txt" 0 "Add group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_019.txt" + rlAssertNotGrep "Failed to add group" "$TmpDir/subca_usergroup_019_2.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_019_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_019_002.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_019_002_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_019_002.txt" + rlRun "cat $TmpDir/subca_usergroup_019_002_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/subca_usergroup_019_002_3.txt" + rlAssertGrep "$groupid" "$TmpDir/subca_usergroup_019_002_3.txt" + #Delete group using operator + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_019_003.txt \ + -u $valid_operator_user:$valid_operator_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_019_003.txt \ + -u $valid_operator_user:$valid_operator_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_019_003_2.txt" 0 "Delete group $groupid" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_019_003.txt" + rlAssertGrep "You are not authorized to perform this operation" "$TmpDir/subca_usergroup_019_003_2.txt" + #List group + rlLog "curl --basic \ + --dump-header $TmpDir/subca_usergroup_019_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\"" + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_019_004.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_SEARCH&OP_SCOPE=groups\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_019_004_2.txt" 0 "List groups" + rlAssertGrep "HTTP/1.1 200 OK" "$TmpDir/subca_usergroup_019_004.txt" + rlRun "cat $TmpDir/subca_usergroup_019_004_2.txt | python -c 'import sys, urllib as ul; print ul.unquote(sys.stdin.read());' | sed 'y/+/ /' > $TmpDir/subca_usergroup_019_004_3.txt" + rlAssertGrep "$groupid" "$TmpDir/subca_usergroup_019_004_3.txt" + rlPhaseEnd + + rlPhaseStartTest "pki_subca_usergroup_cleanup: Deleting users and groups" + local group=("group01" "group10" "group17" "group18" "group19") + i=0 + while [ $i -lt ${#group[@]} ] ; do + groupid=${group[$i]} + rlRun "curl --basic \ + --dump-header $TmpDir/ca_group_cleanup_$i.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=groups&RS_ID=$groupid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/ca_group_cleanup_$i_2.txt" 0 "Delete group $groupid" + let i=$i+1 + done + + local user=("ug02" "ug04" "ug06:true" "ug08" "ug10") + i=0 + while [ $i -lt ${#user[@]} ] ; do + userid=${user[$i]} + rlRun "curl --basic \ + --dump-header $TmpDir/subca_usergroup_cleanup_$i.txt \ + -u $valid_admin_user:$valid_admin_user_password \ + -d \"OP_TYPE=OP_DELETE&OP_SCOPE=users&RS_ID=$userid\" \ + -k \"https://$ca_host:$ca_secure_port/ca/ug\" > $TmpDir/subca_usergroup_cleanup_$i_2.txt" 0 "Delete user $userid" + let i=$i+1 + done + enable_ca_nonce $tomcat_name + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing temp directory" + rlPhaseEnd +} diff --git a/tests/dogtag/runtest.sh b/tests/dogtag/runtest.sh index 0fcccdb7f..c1faea6fc 100755 --- a/tests/dogtag/runtest.sh +++ b/tests/dogtag/runtest.sh @@ -191,6 +191,10 @@ . ./acceptance/legacy/ca-tests/publishing/ca-admin-publishing.sh . ./acceptance/legacy/ca-tests/cert-enrollment/ca-ag-certificates.sh . ./acceptance/legacy/ca-tests/ocsp/ca-ee-ocsp.sh +. ./acceptance/legacy/ca-tests/renewal/renew_manual.sh +. ./acceptance/legacy/ca-tests/renewal/renew_DirAuthUserCert.sh +. ./acceptance/legacy/ca-tests/renewal/renew_caSSLClientCert.sh +. ./acceptance/legacy/subca-tests/usergroups/subca-usergroups.sh . ./acceptance/legacy/subca-tests/acls/subca-ad-acls.sh . ./acceptance/legacy/subca-tests/internaldb/subca-ad-internaldb.sh . ./acceptance/legacy/subca-tests/authplugin/subca-ad-authplugin.sh @@ -1045,13 +1049,6 @@ rlJournalStart run_bug_790924 fi - LEGACY_CA_ADMIN_ACL_UPPERCASE=$(echo $LEGACY_CA_ADMIN_ACL | tr [a-z] [A-Z]) - if [ "$LEGACY_CA_ADMIN_ACL_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ] ; then - #Execute legacy CA admin acl tests - subsystemType=ca - run_admin-ca-acl_tests $subsystemType $MYROLE - fi - ######## PKI KEY KRA TESTS ############ PKI_KEY_KRA_TESTS_UPPERCASE=$(echo $PKI_KEY_KRA_TESTS | tr [a-z] [A-Z]) if [ "$PKI_KEY_KRA_TESTS_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ] ; then @@ -1462,10 +1459,8 @@ rlJournalStart PKI_LEGACY_CA_USERGROUP_UPPERCASE=$(echo $PKI_LEGACY_CA_USERGROUP | tr [a-z] [A-Z]) if [ "$PKI_LEGACY_CA_USERGROUP_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ] ; then # Execute pki ca-usergroup-tests tests - subsystemId=$CA_INST subsystemType=ca - rlLog "Subsystem ID CA=$CA_INST, MY_ROLE=$MYROLE" - run_pki-legacy-ca-usergroup_tests $subsystemId $subsystemType $MYROLE + run_pki-legacy-ca-usergroup_tests $subsystemType $MYROLE fi PKI_LEGACY_CA_ADMIN_PROFILE_UPPERCASE=$(echo $PKI_LEGACY_CA_ADMIN_PROFILE | tr [a-z] [A-Z]) if [ "$PKI_LEGACY_CA_ADMIN_PROFILE_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then @@ -1537,6 +1532,24 @@ rlJournalStart subsystemType=ca run_ca-ee-ocsp_tests $subsystemType $MYROLE fi + PKI_LEGACY_CA_RENEW_MANUAL_UPPERCASE=$(echo $PKI_LEGACY_CA_RENEW_MANUAL | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_CA_RENEW_MANUAL_UPPERCASE" = "TRUE" ] || [ "TEST_ALL_UPPERCASE" = "TRUE" ]; then + # Execute pki ca-renew-manual tests + subsystemType=ca + run_pki-legacy-ca-renew_manual_tests $subsystemType $MYROLE + fi + PKI_LEGACY_CA_RENEW_DIRECTORY_AUTH_USERCERT_UPPERCASE=$(echo $PKI_LEGACY_CA_RENEW_DIRECTORY_AUTH_USERCERT | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_CA_RENEW_DIRECTORY_AUTH_USERCERT_UPPERCASE" = "TRUE" ] || [ "TEST_ALL_UPPERCASE" = "TRUE" ]; then + # Execute pki ca-renew-directory-auth-usercert tests + subsystemType=ca + run_pki-legacy-ca-renew_dir_auth_user_cert_tests $subsystemType $MYROLE + fi + PKI_LEGACY_CA_RENEW_SSLCLIENTAUTH_CERT_UPPERCASE=$(echo $PKI_LEGACY_CA_RENEW_SSLCLIENTAUTH_CERT | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_CA_RENEW_SSLCLIENTAUTH_CERT_UPPERCASE" = "TRUE" ] || [ "TEST_ALL_UPPERCASE" = "TRUE" ]; then + # Execute pki ca-renew-sslclient-cert tests + subsystemType=ca + run_pki-legacy-ca-renew_self_ca_user_ssl_client_cert_tests $subsystemType $MYROLE + fi PKI_LEGACY_KRA_AG_UPPERCASE=$(echo $PKI_LEGACY_KRA_AG_TESTS | tr [a-z] [A-Z]) if [ "$PKI_LEGACY_KRA_AG_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then subsystemType=kra @@ -1562,6 +1575,12 @@ rlJournalStart subsystemType=kra run_admin-kra-log_tests $subsystemType $MYROLE fi + PKI_LEGACY_SUBCA_USERGROUP_UPPERCASE=$(echo $PKI_LEGACY_SUBCA_USERGROUP | tr [a-z] [A-Z]) + if [ "$PKI_LEGACY_SUBCA_USERGROUP_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ] ; then + # Execute pki subca-usergroup-tests tests + subsystemType=ca + run_pki-legacy-subca-usergroup_tests $subsystemType $MYROLE + fi PKI_LEGACY_SUBCA_ADMIN_ACLS_UPPERCASE=$(echo $PKI_LEGACY_SUBCA_ADMIN_ACLS | tr [a-z] [A-Z]) if [ "$PKI_LEGACY_SUBCA_ADMIN_ACLS_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then subsystemType=ca diff --git a/tests/dogtag/shared/rhcs-shared.sh b/tests/dogtag/shared/rhcs-shared.sh index a351c4a40..45d5b6c83 100755 --- a/tests/dogtag/shared/rhcs-shared.sh +++ b/tests/dogtag/shared/rhcs-shared.sh @@ -14,10 +14,13 @@ # runJava # set_javapath # install_and_trust_CA_cert +# install_and_trust_user_cert # disable_ca_nonce # enable_ca_nonce # importP12File -# +# forward_system_clock +# reverse_system_clock +# replace_string_in_a_file ###################################################################### ####################################################################### @@ -271,6 +274,76 @@ install_and_trust_KRA_cert(){ rlRun "certutil -d $nss_db_dir -A -n \"$kra_cert_nick\" -i $nss_db_dir/kra_cert.pem -t \"CT,CT,CT\" " } +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# install_and_trust_user_cert +# Usage: install_and_trust_user_cert +# +# This will check and install user certificate in a given nss-db +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +install_and_trust_user_cert(){ + local cert_pem_file="$1" + local user_cert_nick="$2" + local nss_db_dir="$3" + rlRun "certutil -d $nss_db_dir -A -n \"$user_cert_nick\" -i $cert_pem_file -t \"u,u,u\" " +} +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# forward_system_clock +# Usage: forward_system_clock +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +forward_system_clock(){ + local number_of_days=$1 + rlLog "Current Date/Time: $(date)" + rlRun "chronyc -a 'manual on' 1> $TmpDir/chrony.out" 0 "Set chrony to manual mode" + rlAssertGrep "200 OK" "$TmpDir/chrony.out" + local cur_date=$(date) + rlLog "Move system to $cur_date + $number_of_days days ahead" + rlRun "chronyc -a -m 'offline' 'settime $cur_date + $number_of_days days' 'makestep' 'manual reset' 1> $TmpDir/chrony.out" + rlLog "Date after modifying using chrony: $(date)" +} +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# reverse_system_clock +# Usage: reverse_system_clock +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +reverse_system_clock(){ + local numdays=$1 + rlLog "number_of_days=$numdays" + rlLog "Current Date/Time: $(date)" + local new_string="$numdays days ago" + local new_date=$(date -d "$new_string") + rlRun "chronyc -a -m 'settime $new_date' 'makestep' 'manual reset' 'online' 1> $TmpDir/chrony.out" + rlAssertGrep "200 OK" "$TmpDir/chrony.out" + rlLog "Date after modifying using chrony: $(date)" +} +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# replace_string_in_a_file +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +replace_string_in_a_file() +{ + local file_name=$1 + local original_string=$2 + local replace_string=$3 + local rc=0 + temp_file="$file_name.temp" + rlRun "sed 's/$original_string/$replace_string/g' $file_name > $temp_file" + cp $temp_file $file_name + cat $file_name | grep $replace_string + if [ $? -ne 0 ] ; then + rlLog "$file_name did not get replaced with $replace_string" + rc=1 + fi + return $rc +} +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # disable_ca_nonce # Usage: disable_ca_nonce -- cgit