From 68f4af3122bfd9f83f4f09a7b6254da1bf0e533a Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 5 Mar 2014 16:46:21 +0100 Subject: tests: Create the testing service certificate on demand Replace the make-testcert command with a module that creates the certificate when it is first needed. As a result the tests are more self-contained, and can be run from a read-only location (such as installed from a system package). Reviewed-By: Jan Cholasta --- ipatests/test_xmlrpc/testcert.py | 103 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 ipatests/test_xmlrpc/testcert.py (limited to 'ipatests/test_xmlrpc/testcert.py') diff --git a/ipatests/test_xmlrpc/testcert.py b/ipatests/test_xmlrpc/testcert.py new file mode 100644 index 000000000..ead6ee7f5 --- /dev/null +++ b/ipatests/test_xmlrpc/testcert.py @@ -0,0 +1,103 @@ +# +# Authors: +# Rob Crittenden +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +""" +Provide a custom certificate used in the service tests. + +The certificate in cached in a global variable so it only has to be created +once per test run. +""" + +import os +import tempfile +import shutil +from ipalib import api, x509 +from ipaserver.plugins import rabase +from ipapython import ipautil +from ipapython.dn import DN + +_testcert = None + + +def get_testcert(): + """Get the certificate, creating it if it doesn't exist""" + global _testcert + if _testcert is None: + reqdir = tempfile.mkdtemp(prefix="tmp-") + try: + _testcert = makecert(reqdir) + finally: + shutil.rmtree(reqdir) + return x509.strip_header(_testcert) + + +def run_certutil(reqdir, args, stdin=None): + """ + Run an NSS certutil command + """ + new_args = ["/usr/bin/certutil", "-d", reqdir] + new_args = new_args + args + return ipautil.run(new_args, stdin) + + +def generate_csr(reqdir, pwname, subject): + """ + Create a CSR for the given subject. + """ + req_path = os.path.join(reqdir, 'req') + run_certutil(reqdir, ["-R", "-s", subject, + "-o", req_path, + "-z", "/etc/group", + "-f", pwname, + "-a"]) + with open(req_path, "r") as fp: + return fp.read() + + +def makecert(reqdir): + """ + Generate a service certificate that can be used during unit testing. + """ + + ra = rabase.rabase() + if (not os.path.exists(ra.sec_dir) and + api.env.xmlrpc_uri == 'http://localhost:8888/ipa/xml'): + raise AssertionError('The self-signed CA is not configured, ' + 'see ipatests/test_xmlrpc/test_cert.py') + + pwname = os.path.join(reqdir, "pwd") + + # Create an empty password file + with open(pwname, "w") as fp: + fp.write("\n") + + # Generate NSS cert database to store the private key for our CSR + run_certutil(reqdir, ["-N", "-f", pwname]) + + res = api.Command['config_show']() + subject_base = res['result']['ipacertificatesubjectbase'][0] + + cert = None + subject = DN(('CN', api.env.host), subject_base) + princ = 'unittest/%s@%s' % (api.env.host, api.env.realm) + csr = unicode(generate_csr(reqdir, pwname, str(subject))) + + res = api.Command['cert_request'](csr, principal=princ, add=True) + return x509.make_pem(res['result']['certificate']) -- cgit