diff options
-rw-r--r-- | ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl | 619 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl | 109 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl | 109 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl | 109 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/test_certprofile_plugin.py | 203 | ||||
-rw-r--r-- | ipatests/util.py | 10 |
6 files changed, 1158 insertions, 1 deletions
diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl new file mode 100644 index 000000000..995481923 --- /dev/null +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl @@ -0,0 +1,619 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<Profile xmlns:ns2="http://www.w3.org/2005/Atom" id="caIPAserviceCert_xml"> + <classId>caEnrollImpl</classId> + <name>IPA-RA Agent-Authenticated Server Certificate Enrollment</name> + <description>This certificate profile is for enrolling server certificates with IPA-RA agent authentication.</description> + <enabled>true</enabled> + <visible>false</visible> + <enabledBy>ipara</enabledBy> + <authenticatorId>raCertAuth</authenticatorId> + <authzAcl></authzAcl> + <renewal>false</renewal> + <xmlOutput>false</xmlOutput> + <Input id="i1"> + <ClassID>certReqInputImpl</ClassID> + <Name>Certificate Request Input</Name> + <Attribute name="cert_request_type"> + <Descriptor> + <Syntax>cert_request_type</Syntax> + <Description>Certificate Request Type</Description> + </Descriptor> + </Attribute> + <Attribute name="cert_request"> + <Descriptor> + <Syntax>cert_request</Syntax> + <Description>Certificate Request</Description> + </Descriptor> + </Attribute> + </Input> + <Input id="i2"> + <ClassID>submitterInfoInputImpl</ClassID> + <Name>Requestor Information</Name> + <Attribute name="requestor_name"> + <Descriptor> + <Syntax>string</Syntax> + <Description>Requestor Name</Description> + </Descriptor> + </Attribute> + <Attribute name="requestor_email"> + <Descriptor> + <Syntax>string</Syntax> + <Description>Requestor Email</Description> + </Descriptor> + </Attribute> + <Attribute name="requestor_phone"> + <Descriptor> + <Syntax>string</Syntax> + <Description>Requestor Phone</Description> + </Descriptor> + </Attribute> + </Input> + <Output id="o1"> + <name>Certificate Output</name> + <classId>certOutputImpl</classId> + <attributes name="pretty_cert"> + <Descriptor> + <Syntax>pretty_print</Syntax> + <Description>Certificate Pretty Print</Description> + </Descriptor> + </attributes> + <attributes name="b64_cert"> + <Descriptor> + <Syntax>pretty_print</Syntax> + <Description>Certificate Base-64 Encoded</Description> + </Descriptor> + </attributes> + </Output> + <PolicySets> + <PolicySet> + <id>serverCertSet</id> + <value id="1"> + <def id="Subject Name Default" classId="subjectNameDefaultImpl"> + <description>This default populates a Certificate Subject Name to the request. The default values are Subject Name=CN=$request.req_subject_name.cn$, O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</description> + <policyAttribute name="name"> + <Descriptor> + <Syntax>string</Syntax> + <Description>Subject Name</Description> + </Descriptor> + </policyAttribute> + <params name="name"> + <value>CN=$request.req_subject_name.cn$, {ipacertbase}</value> + </params> + </def> + <constraint id="Subject Name Constraint"> + <description>This constraint accepts the subject name that matches CN=[^,]+,.+</description> + <classId>subjectNameConstraintImpl</classId> + <constraint id="pattern"> + <descriptor> + <Syntax>string</Syntax> + <Description>Subject Name Pattern</Description> + </descriptor> + <value>CN=[^,]+,.+</value> + </constraint> + </constraint> + </value> + <value id="2"> + <def id="Validity Default" classId="validityDefaultImpl"> + <description>This default populates a Certificate Validity to the request. The default values are Range=731 in days</description> + <policyAttribute name="notBefore"> + <Descriptor> + <Syntax>string</Syntax> + <Description>Not Before</Description> + </Descriptor> + </policyAttribute> + <policyAttribute name="notAfter"> + <Descriptor> + <Syntax>string</Syntax> + <Description>Not After</Description> + </Descriptor> + </policyAttribute> + <params name="range"> + <value>731</value> + </params> + <params name="rangeUnit"> + <value></value> + </params> + <params name="startTime"> + <value>0</value> + </params> + </def> + <constraint id="Validity Constraint"> + <description>This constraint rejects the validity that is not between 740 days.</description> + <classId>validityConstraintImpl</classId> + <constraint id="range"> + <descriptor> + <Syntax>integer</Syntax> + <Description>Validity Range</Description> + <DefaultValue>365</DefaultValue> + </descriptor> + <value>740</value> + </constraint> + <constraint id="rangeUnit"> + <descriptor> + <Syntax>string</Syntax> + <Description>Validity Range Unit (default: day)</Description> + <DefaultValue>day</DefaultValue> + </descriptor> + <value></value> + </constraint> + <constraint id="notBeforeGracePeriod"> + <descriptor> + <Syntax>integer</Syntax> + <Description>Grace period for Not Before being set in the future (in seconds).</Description> + <DefaultValue>0</DefaultValue> + </descriptor> + <value></value> + </constraint> + <constraint id="notBeforeCheck"> + <descriptor> + <Syntax>boolean</Syntax> + <Description>Check Not Before against current time</Description> + <DefaultValue>false</DefaultValue> + </descriptor> + <value>false</value> + </constraint> + <constraint id="notAfterCheck"> + <descriptor> + <Syntax>boolean</Syntax> + <Description>Check Not After against Not Before</Description> + <DefaultValue>false</DefaultValue> + </descriptor> + <value>false</value> + </constraint> + </constraint> + </value> + <value id="3"> + <def id="Key Default" classId="userKeyDefaultImpl"> + <description>This default populates a User-Supplied Certificate Key to the request.</description> + <policyAttribute name="TYPE"> + <Descriptor> + <Syntax>string</Syntax> + <Constraint>readonly</Constraint> + <Description>Key Type</Description> + </Descriptor> + </policyAttribute> + <policyAttribute name="LEN"> + <Descriptor> + <Syntax>string</Syntax> + <Constraint>readonly</Constraint> + <Description>Key Length</Description> + </Descriptor> + </policyAttribute> + <policyAttribute name="KEY"> + <Descriptor> + <Syntax>string</Syntax> + <Constraint>readonly</Constraint> + <Description>Key</Description> + </Descriptor> + </policyAttribute> + </def> + <constraint id="Key Constraint"> + <description>This constraint accepts the key only if Key Type=RSA, Key Parameters =1024,2048,3072,4096</description> + <classId>keyConstraintImpl</classId> + <constraint id="keyType"> + <descriptor> + <Syntax>choice</Syntax> + <Constraint>-,RSA,EC</Constraint> + <Description>Key Type</Description> + <DefaultValue>RSA</DefaultValue> + </descriptor> + <value>RSA</value> + </constraint> + <constraint id="keyParameters"> + <descriptor> + <Syntax>string</Syntax> + <Description>Key Lengths or Curves. For EC use comma separated list of curves, otherise use list of key sizes. Ex: 1024,2048,4096,8192 or: nistp256,nistp384,nistp521,sect163k1,nistk163 for EC.</Description> + <DefaultValue></DefaultValue> + </descriptor> + <value>1024,2048,3072,4096</value> + </constraint> + </constraint> + </value> + <value id="4"> + <def id="Authority Key Identifier Default" classId="authorityKeyIdentifierExtDefaultImpl"> + <description>This default populates an Authority Key Identifier Extension (2.5.29.35) to the request.</description> + <policyAttribute name="critical"> + <Descriptor> + <Syntax>string</Syntax> + <Constraint>readonly</Constraint> + <Description>Criticality</Description> + </Descriptor> + </policyAttribute> + <policyAttribute name="keyid"> + <Descriptor> + <Syntax>string</Syntax> + <Constraint>readonly</Constraint> + <Description>Key ID</Description> + </Descriptor> + </policyAttribute> + </def> + <constraint id="No Constraint"> + <description>No Constraint</description> + <classId>noConstraintImpl</classId> + </constraint> + </value> + <value id="5"> + <def id="AIA Extension Default" classId="authInfoAccessExtDefaultImpl"> + <description>This default populates a Authority Info Access Extension (1.3.6.1.5.5.7.1.1) to the request. The default values are Criticality=false, Record #0 ( Method:1.3.6.1.5.5.7.48.1,Location Type:URIName,Location:http://ipa-ca.{ipadomain}/ca/ocsp,Enable:true)</description> + <policyAttribute name="authInfoAccessCritical"> + <Descriptor> + <Syntax>boolean</Syntax> + <Description>Criticality</Description> + <DefaultValue>false</DefaultValue> + </Descriptor> + </policyAttribute> + <policyAttribute name="authInfoAccessGeneralNames"> + <Descriptor> + <Syntax>string_list</Syntax> + <Description>General Names</Description> + </Descriptor> + </policyAttribute> + <params name="authInfoAccessCritical"> + <value>false</value> + </params> + <params name="authInfoAccessNumADs"> + <value>1</value> + </params> + <params name="authInfoAccessADMethod_0"> + <value>1.3.6.1.5.5.7.48.1</value> + </params> + <params name="authInfoAccessADLocationType_0"> + <value>URIName</value> + </params> + <params name="authInfoAccessADLocation_0"> + <value>http://ipa-ca.{ipadomain}/ca/ocsp</value> + </params> + <params name="authInfoAccessADEnable_0"> + <value>true</value> + </params> + </def> + <constraint id="No Constraint"> + <description>No Constraint</description> + <classId>noConstraintImpl</classId> + </constraint> + </value> + <value id="6"> + <def id="Key Usage Default" classId="keyUsageExtDefaultImpl"> + <description>This default populates a Key Usage Extension (2.5.29.15) to the request. The default values are Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=true, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false</description> + <policyAttribute name="keyUsageCritical"> + <Descriptor> + <Syntax>boolean</Syntax> + <Description>Criticality</Description> + <DefaultValue>false</DefaultValue> + </Descriptor> + </policyAttribute> + <policyAttribute name="keyUsageDigitalSignature"> + <Descriptor> + <Syntax>boolean</Syntax> + <Description>Digital Signature</Description> + <DefaultValue>false</DefaultValue> + </Descriptor> + </policyAttribute> + <policyAttribute name="keyUsageNonRepudiation"> + <Descriptor> + <Syntax>boolean</Syntax> + <Description>Non-Repudiation</Description> + <DefaultValue>false</DefaultValue> + </Descriptor> + </policyAttribute> + <policyAttribute name="keyUsageKeyEncipherment"> + <Descriptor> + <Syntax>boolean</Syntax> + <Description>Key Encipherment</Description> + <DefaultValue>false</DefaultValue> + </Descriptor> + </policyAttribute> + <policyAttribute name="keyUsageDataEncipherment"> + <Descriptor> + <Syntax>boolean</Syntax> + <Description>Data Encipherment</Description> + <DefaultValue>false</DefaultValue> + </Descriptor> + </policyAttribute> + <policyAttribute name="keyUsageKeyAgreement"> + <Descriptor> + <Syntax>boolean</Syntax> + <Description>Key Agreement</Description> + <DefaultValue>false</DefaultValue> + </Descriptor> + </policyAttribute> + <policyAttribute name="keyUsageKeyCertSign"> + <Descriptor> + <Syntax>boolean</Syntax> + <Description>Key CertSign</Description> + <DefaultValue>false</DefaultValue> + </Descriptor> + </policyAttribute> + <policyAttribute name="keyUsageCrlSign"> + <Descriptor> + <Syntax>boolean</Syntax> + <Description>CRL Sign</Description> + <DefaultValue>false</DefaultValue> + </Descriptor> + </policyAttribute> + <policyAttribute name="keyUsageEncipherOnly"> + <Descriptor> + <Syntax>boolean</Syntax> + <Description>Encipher Only</Description> + <DefaultValue>false</DefaultValue> + </Descriptor> + </policyAttribute> + <policyAttribute name="keyUsageDecipherOnly"> + <Descriptor> + <Syntax>boolean</Syntax> + <Description>Decipher Only</Description> + <DefaultValue>false</DefaultValue> + </Descriptor> + </policyAttribute> + <params name="keyUsageCritical"> + <value>true</value> + </params> + <params name="keyUsageDigitalSignature"> + <value>true</value> + </params> + <params name="keyUsageNonRepudiation"> + <value>true</value> + </params> + <params name="keyUsageKeyEncipherment"> + <value>true</value> + </params> + <params name="keyUsageDataEncipherment"> + <value>true</value> + </params> + <params name="keyUsageKeyAgreement"> + <value>false</value> + </params> + <params name="keyUsageKeyCertSign"> + <value>false</value> + </params> + <params name="keyUsageCrlSign"> + <value>false</value> + </params> + <params name="keyUsageEncipherOnly"> + <value>false</value> + </params> + <params name="keyUsageDecipherOnly"> + <value>false</value> + </params> + </def> + <constraint id="Key Usage Extension Constraint"> + <description>This constraint accepts the Key Usage extension, if present, only when Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=true, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false</description> + <classId>keyUsageExtConstraintImpl</classId> + <constraint id="keyUsageCritical"> + <descriptor> + <Syntax>choice</Syntax> + <Constraint>true,false,-</Constraint> + <Description>Criticality</Description> + <DefaultValue>-</DefaultValue> + </descriptor> + <value>true</value> + </constraint> + <constraint id="keyUsageDigitalSignature"> + <descriptor> + <Syntax>choice</Syntax> + <Constraint>true,false,-</Constraint> + <Description>Digital Signature</Description> + <DefaultValue>-</DefaultValue> + </descriptor> + <value>true</value> + </constraint> + <constraint id="keyUsageNonRepudiation"> + <descriptor> + <Syntax>choice</Syntax> + <Constraint>true,false,-</Constraint> + <Description>Non-Repudiation</Description> + <DefaultValue>-</DefaultValue> + </descriptor> + <value>true</value> + </constraint> + <constraint id="keyUsageKeyEncipherment"> + <descriptor> + <Syntax>choice</Syntax> + <Constraint>true,false,-</Constraint> + <Description>Key Encipherment</Description> + <DefaultValue>-</DefaultValue> + </descriptor> + <value>true</value> + </constraint> + <constraint id="keyUsageDataEncipherment"> + <descriptor> + <Syntax>choice</Syntax> + <Constraint>true,false,-</Constraint> + <Description>Data Encipherment</Description> + <DefaultValue>-</DefaultValue> + </descriptor> + <value>true</value> + </constraint> + <constraint id="keyUsageKeyAgreement"> + <descriptor> + <Syntax>choice</Syntax> + <Constraint>true,false,-</Constraint> + <Description>Key Agreement</Description> + <DefaultValue>-</DefaultValue> + </descriptor> + <value>false</value> + </constraint> + <constraint id="keyUsageKeyCertSign"> + <descriptor> + <Syntax>choice</Syntax> + <Constraint>true,false,-</Constraint> + <Description>Key CertSign</Description> + <DefaultValue>-</DefaultValue> + </descriptor> + <value>false</value> + </constraint> + <constraint id="keyUsageCrlSign"> + <descriptor> + <Syntax>choice</Syntax> + <Constraint>true,false,-</Constraint> + <Description>CRL Sign</Description> + <DefaultValue>-</DefaultValue> + </descriptor> + <value>false</value> + </constraint> + <constraint id="keyUsageEncipherOnly"> + <descriptor> + <Syntax>choice</Syntax> + <Constraint>true,false,-</Constraint> + <Description>Encipher Only</Description> + <DefaultValue>-</DefaultValue> + </descriptor> + <value>false</value> + </constraint> + <constraint id="keyUsageDecipherOnly"> + <descriptor> + <Syntax>choice</Syntax> + <Constraint>true,false,-</Constraint> + <Description>Decipher Only</Description> + <DefaultValue>-</DefaultValue> + </descriptor> + <value>false</value> + </constraint> + </constraint> + </value> + <value id="7"> + <def id="Extended Key Usage Extension Default" classId="extendedKeyUsageExtDefaultImpl"> + <description>This default populates an Extended Key Usage Extension () to the request. The default values are Criticality=false, OIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2</description> + <policyAttribute name="exKeyUsageCritical"> + <Descriptor> + <Syntax>boolean</Syntax> + <Description>Criticality</Description> + <DefaultValue>false</DefaultValue> + </Descriptor> + </policyAttribute> + <policyAttribute name="exKeyUsageOIDs"> + <Descriptor> + <Syntax>string_list</Syntax> + <Description>Comma-Separated list of Object Identifiers</Description> + </Descriptor> + </policyAttribute> + <params name="exKeyUsageCritical"> + <value>false</value> + </params> + <params name="exKeyUsageOIDs"> + <value>1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2</value> + </params> + </def> + <constraint id="No Constraint"> + <description>No Constraint</description> + <classId>noConstraintImpl</classId> + </constraint> + </value> + <value id="8"> + <def id="Signing Alg" classId="signingAlgDefaultImpl"> + <description>This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA256withRSA</description> + <policyAttribute name="signingAlg"> + <Descriptor> + <Syntax>choice</Syntax> + <Constraint>SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA</Constraint> + <Description>Signing Algorithm</Description> + </Descriptor> + </policyAttribute> + <params name="signingAlg"> + <value>-</value> + </params> + </def> + <constraint id="No Constraint"> + <description>This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</description> + <classId>signingAlgConstraintImpl</classId> + <constraint id="signingAlgsAllowed"> + <descriptor> + <Syntax>string</Syntax> + <Description>Allowed Signing Algorithms</Description> + <DefaultValue>SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</DefaultValue> + </descriptor> + <value>SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</value> + </constraint> + </constraint> + </value> + <value id="9"> + <def id="CRL Distribution Points Extension Default" classId="crlDistributionPointsExtDefaultImpl"> + <description>This default populates a CRL Distribution Points Extension (2.5.29.31) to the request. The default values are Criticality=false, Record #0 Point Type:URIName,Point Name:http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin,Reasons:,Issuer Type:DirectoryName,Issuer Name:CN=Certificate Authority,o=ipaca,Enable:true)</description> + <policyAttribute name="crlDistPointsCritical"> + <Descriptor> + <Syntax>boolean</Syntax> + <Description>Criticality</Description> + <DefaultValue>false</DefaultValue> + </Descriptor> + </policyAttribute> + <policyAttribute name="crlDistPointsValue"> + <Descriptor> + <Syntax>string_list</Syntax> + <Description>CRL Distribution Points</Description> + </Descriptor> + </policyAttribute> + <params name="crlDistPointsCritical"> + <value>false</value> + </params> + <params name="crlDistPointsNum"> + <value>1</value> + </params> + <params name="crlDistPointsPointType_0"> + <value>URIName</value> + </params> + <params name="crlDistPointsPointName_0"> + <value>http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin</value> + </params> + <params name="crlDistPointsReasons_0"> + <value></value> + </params> + <params name="crlDistPointsIssuerType_0"> + <value>DirectoryName</value> + </params> + <params name="crlDistPointsIssuerName_0"> + <value>CN=Certificate Authority,o=ipaca</value> + </params> + <params name="crlDistPointsEnable_0"> + <value>true</value> + </params> + </def> + <constraint id="No Constraint"> + <description>No Constraint</description> + <classId>noConstraintImpl</classId> + </constraint> + </value> + <value id="10"> + <def id="Subject Key Identifier Extension Default" classId="subjectKeyIdentifierExtDefaultImpl"> + <description>This default populates a Subject Key Identifier Extension (2.5.29.14) to the request.</description> + <policyAttribute name="critical"> + <Descriptor> + <Syntax>string</Syntax> + <Constraint>readonly</Constraint> + <Description>Criticality</Description> + </Descriptor> + </policyAttribute> + <policyAttribute name="keyid"> + <Descriptor> + <Syntax>string</Syntax> + <Constraint>readonly</Constraint> + <Description>Key ID</Description> + </Descriptor> + </policyAttribute> + </def> + <constraint id="No Constraint"> + <description>No Constraint</description> + <classId>noConstraintImpl</classId> + </constraint> + </value> + <value id="11"> + <def id="User Supplied Extension Default" classId="userExtensionDefaultImpl"> + <description>This default populates a User-Supplied Extension (2.5.29.17) to the request.</description> + <policyAttribute name="userExtOID"> + <Descriptor> + <Syntax>string</Syntax> + <Constraint>readonly</Constraint> + <Description>Object Identifier</Description> + </Descriptor> + </policyAttribute> + <params name="userExtOID"> + <value>2.5.29.17</value> + </params> + </def> + <constraint id="No Constraint"> + <description>No Constraint</description> + <classId>noConstraintImpl</classId> + </constraint> + </value> + </PolicySet> + </PolicySets> +</Profile> diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl new file mode 100644 index 000000000..7fc2281ee --- /dev/null +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl @@ -0,0 +1,109 @@ +auth.instance_id=raCertAuth +classId=caEnrollImpl +profileId=caIPAserviceCert_mal +visible=false +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +enable=true +enableBy=ipara +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +input.list=i1,i2 +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, {ipacertbase} +policyset.serverCertSet.10.constraint.class_id=noConstraintImpl +policyset.serverCertSet.10.constraint.name=No Constraint +policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default +policyset.serverCertSet.10.default.params.critical=false +policyset.serverCertSet.11.constraint.class_id=noConstraintImpl +policyset.serverCertSet.11.constraint.name=No Constraint +policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl +policyset.serverCertSet.11.default.name=User Supplied Extension Default +policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.{ipadomain}/ca/ocsp +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default +policyset.serverCertSet.9.default.params.crlDistPointsCritical=false +policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true +policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca +policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName +policyset.serverCertSet.9.default.params.crlDistPointsNum=1 +policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin +policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName +policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12 diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl new file mode 100644 index 000000000..cff154462 --- /dev/null +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl @@ -0,0 +1,109 @@ +auth.instance_id=raCertAuth +classId=caEnrollImpl +profileId=caIPAserviceCert_mod +visible=false +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +enable=true +enableBy=ipara +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +input.list=i1,i2 +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, {ipacertbase} +policyset.serverCertSet.10.constraint.class_id=noConstraintImpl +policyset.serverCertSet.10.constraint.name=No Constraint +policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default +policyset.serverCertSet.10.default.params.critical=false +policyset.serverCertSet.11.constraint.class_id=noConstraintImpl +policyset.serverCertSet.11.constraint.name=No Constraint +policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl +policyset.serverCertSet.11.default.name=User Supplied Extension Default +policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.{ipadomain}/ca/ocsp +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default +policyset.serverCertSet.9.default.params.crlDistPointsCritical=false +policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true +policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca +policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName +policyset.serverCertSet.9.default.params.crlDistPointsNum=1 +policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin +policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName +policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl new file mode 100644 index 000000000..3fa2970b0 --- /dev/null +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl @@ -0,0 +1,109 @@ +auth.instance_id=raCertAuth +classId=caEnrollImpl +profileId=caIPAserviceCert_mod +visible=false +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +enable=true +enableBy=ipara +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +input.list=i1,i2 +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, {ipacertbase} +policyset.serverCertSet.10.constraint.class_id=noConstraintImpl +policyset.serverCertSet.10.constraint.name=No Constraint +policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default +policyset.serverCertSet.10.default.params.critical=false +policyset.serverCertSet.11.constraint.class_id=noConstraintImpl +policyset.serverCertSet.11.constraint.name=No Constraint +policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl +policyset.serverCertSet.11.default.name=User Supplied Extension Default +policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.{ipadomain}/ca/ocsp +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default +policyset.serverCertSet.9.default.params.crlDistPointsCritical=false +policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true +policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca +policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName +policyset.serverCertSet.9.default.params.crlDistPointsNum=1 +policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin +policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName +policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12 diff --git a/ipatests/test_xmlrpc/test_certprofile_plugin.py b/ipatests/test_xmlrpc/test_certprofile_plugin.py index 8fd81bc3f..2875cfe11 100644 --- a/ipatests/test_xmlrpc/test_certprofile_plugin.py +++ b/ipatests/test_xmlrpc/test_certprofile_plugin.py @@ -11,8 +11,9 @@ import os import pytest -from ipalib import errors +from ipalib import api, errors from ipapython.dn import DN +from ipatests.util import prepare_config from ipatests.test_xmlrpc.ldaptracker import Tracker from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, raises_exact from ipatests.test_xmlrpc import objectclasses @@ -138,3 +139,203 @@ class CertprofileTracker(Tracker): summary=u'Modified Certificate Profile "{}"'.format(self.name), result=self.filter_attrs(self.update_keys | set(extra_keys)) ), result) + + +IPA_CERT_SUBJ_BASE = ( + api.Command.config_show() + ['result']['ipacertificatesubjectbase'][0] +) + +BASE_DIR = os.path.dirname(__file__) +CA_IPA_SERVICE_MODIFIED_TEMPLATE = os.path.join( + BASE_DIR, 'data/caIPAserviceCert_mod.cfg.tmpl') + +CA_IPA_SERVICE_MODIFIED_MALFORMED_TEMPLATE = os.path.join( + BASE_DIR, 'data/caIPAserviceCert_mod_mal.cfg.tmpl') + +CA_IPA_SERVICE_MALFORMED_TEMPLATE = os.path.join( + BASE_DIR, 'data/caIPAserviceCert_mal.cfg.tmpl') + +CA_IPA_SERVICE_XML_TEMPLATE = os.path.join( + BASE_DIR, 'data/caIPAserviceCert.xml.tmpl') + +RENAME_ERR_TEMPL = ( + u'certprofile {} cannot be deleted/modified: ' + 'Certificate profiles cannot be renamed') + + +@pytest.fixture(scope='class') +def default_profile(request): + name = 'caIPAserviceCert' + desc = u'Standard profile for network services' + tracker = CertprofileTracker(name, store=True, desc=desc) + tracker.track_create() + return tracker + + +@pytest.fixture(scope='class') +def user_profile(request): + name = 'caIPAserviceCert_mod' + profile_path = prepare_config( + CA_IPA_SERVICE_MODIFIED_TEMPLATE, + dict( + ipadomain=api.env.domain, + ipacertbase=IPA_CERT_SUBJ_BASE)) + + tracker = CertprofileTracker( + name, store=True, desc=u'Storing copy of a profile', + profile=profile_path + ) + + return tracker.make_fixture(request) + + +@pytest.fixture(scope='class') +def malformed(request): + name = u'caIPAserviceCert_mal' + profile_path = prepare_config( + CA_IPA_SERVICE_MALFORMED_TEMPLATE, + dict( + ipadomain=api.env.domain, + ipacertbase=IPA_CERT_SUBJ_BASE)) + + tracker = CertprofileTracker(name, store=True, desc=u'malformed profile', + profile=profile_path) + + # Do not return with finalizer. There should be nothing to delete + return tracker + + +@pytest.fixture(scope='class') +def xmlprofile(request): + name = u'caIPAserviceCert_xml' + profile_path = prepare_config( + CA_IPA_SERVICE_XML_TEMPLATE, + dict( + ipadomain=api.env.domain, + ipacertbase=IPA_CERT_SUBJ_BASE)) + + tracker = CertprofileTracker(name, store=True, desc=u'xml format profile', + profile=profile_path) + + return tracker + + +class TestDefaultProfile(XMLRPC_test): + def test_default_profile_present(self, default_profile): + default_profile.retrieve() + + def test_deleting_default_profile(self, default_profile): + with pytest.raises(errors.ValidationError): + default_profile.delete() + + def test_try_rename_by_setattr(self, default_profile): + command = default_profile.make_update_command( + updates=dict(setattr=u'cn=bogus')) + errmsg = RENAME_ERR_TEMPL.format(default_profile.name) + + with raises_exact(errors.ProtectedEntryError(message=errmsg)): + command() + + def test_try_rename_by_rename_option(self, default_profile): + command = default_profile.make_update_command(dict(rename=u'bogus_id')) + with pytest.raises(errors.OptionError): + command() + + +class TestProfileCRUD(XMLRPC_test): + def test_create_duplicate(self, user_profile): + msg = u'Certificate Profile with name "{}" already exists' + user_profile.ensure_exists() + command = user_profile.make_create_command(force=True) + with raises_exact(errors.DuplicateEntry( + message=msg.format(user_profile.name))): + command() + + def test_retrieve_simple(self, user_profile): + user_profile.retrieve() + + def test_retrieve_all(self, user_profile): + user_profile.retrieve(all=True) + + def test_export_profile(self, tmpdir, user_profile): + profile = tmpdir.join('{}.cfg'.format(user_profile.name)) + + command = user_profile.make_retrieve_command(out=unicode(profile)) + command() + + content = profile.read() + assert user_profile.name in content + + def test_search_simple(self, user_profile): + user_profile.find() + + def test_search_all(self, user_profile): + user_profile.find(all=True) + + def test_update_store(self, user_profile): + user_profile.update( + dict( + ipacertprofilestoreissued=False + ), + expected_updates=dict( + ipacertprofilestoreissued=[u'FALSE'] + ) + ) + + def test_update_description(self, user_profile): + new_desc = u'new description' + user_profile.update( + dict( + description=new_desc + ), + expected_updates=dict( + description=[new_desc] + ) + ) + + def test_update_by_malformed_profile(self, user_profile): + profile_path = prepare_config( + CA_IPA_SERVICE_MODIFIED_MALFORMED_TEMPLATE, + dict( + ipadomain=api.env.domain, + ipacertbase=IPA_CERT_SUBJ_BASE)) + + with open(profile_path, ) as f: + profile_content = f.read() + command = user_profile.make_update_command( + dict(file=unicode(profile_content))) + + with pytest.raises(errors.ExecutionError): + command() + + def test_try_rename_by_setattr(self, user_profile): + user_profile.ensure_exists() + command = user_profile.make_update_command( + updates=dict(setattr=u'cn=bogus')) + errmsg = RENAME_ERR_TEMPL.format(user_profile.name) + + with raises_exact(errors.ProtectedEntryError(message=errmsg)): + command() + + def test_delete(self, user_profile): + user_profile.ensure_exists() + user_profile.delete() + + def test_try_rename_by_rename_option(self, user_profile): + user_profile.ensure_exists() + command = user_profile.make_update_command(dict(rename=u'bogus_id')) + with pytest.raises(errors.OptionError): + command() + + +class TestMalformedProfile(XMLRPC_test): + def test_malformed_import(self, malformed): + with pytest.raises(errors.ExecutionError): + malformed.create() + + +class TestImportFromXML(XMLRPC_test): + def test_import_xml(self, xmlprofile): + with pytest.raises(errors.ExecutionError): + xmlprofile.ensure_exists() diff --git a/ipatests/util.py b/ipatests/util.py index 5a6595a62..2039095b0 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -650,3 +650,13 @@ class MockLDAP(object): def unbind(self): if self.connection is not None: self.connection.unbind_s() + + +def prepare_config(template, values): + with open(template) as f: + template = f.read() + + with tempfile.NamedTemporaryFile(mode='w', delete=False) as config: + config.write(template.format(**values)) + + return config.name |