summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMilan KubĂ­k <mkubik@redhat.com>2016-06-21 15:57:58 +0200
committerPetr Vobornik <pvoborni@redhat.com>2016-07-12 10:55:50 +0200
commitd88a12f1f59640bb6593169aa4c7ea204af18cee (patch)
treed99993c9f6ed02c323435c82b97cbb4f52fa3aab
parent5b37aaad7718bd0214053fd2e758ba7dc332e21d (diff)
downloadfreeipa-d88a12f1f59640bb6593169aa4c7ea204af18cee.tar.gz
freeipa-d88a12f1f59640bb6593169aa4c7ea204af18cee.tar.xz
freeipa-d88a12f1f59640bb6593169aa4c7ea204af18cee.zip
ipatests: Test Sub CA with CAACL and certificate profile
Test the Sub CA feature by signing a CSR with custom certificate profile. The test also covers 'cert-request' fallback behaviour for missing 'cacn' and 'profile-id' options by reusing the fixtures from the module. https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
-rw-r--r--ipatests/test_xmlrpc/test_caacl_profile_enforcement.py110
1 files changed, 110 insertions, 0 deletions
diff --git a/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py b/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py
index 11c040966..a70d81d88 100644
--- a/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py
+++ b/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py
@@ -15,6 +15,7 @@ from ipatests.util import (
from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
from ipatests.test_xmlrpc.tracker.certprofile_plugin import CertprofileTracker
from ipatests.test_xmlrpc.tracker.caacl_plugin import CAACLTracker
+from ipatests.test_xmlrpc.tracker.ca_plugin import CATracker
from ipapython.ipautil import run
@@ -250,3 +251,112 @@ class TestSignWithChangedProfile(XMLRPC_test):
with pytest.raises(errors.CertificateOperationError):
api.Command.cert_request(csr, principal=smime_user,
profile_id=smime_profile.name)
+
+
+@pytest.fixture(scope='class')
+def smime_signing_ca(request):
+ name = u'smime-signing-ca'
+ subject = u'CN=SMIME CA,O=test industries Inc.'
+ return CATracker(name, subject).make_fixture(request)
+
+
+@pytest.mark.tier1
+class TestCertSignMIMEwithSubCA(XMLRPC_test):
+ """ Test Certificate Signing with Sub CA
+
+ The test covers following areas:
+
+ * signing a CSR with custom certificate profile
+ using a designated Sub CA
+ * Verify that the Issuer of the signed certificate
+ is the reqested CA
+ * Verify that when not set, cert-request uses the default CA.
+ This it verified by violating an ACL
+ * Verify that when not set, cert-request uses the default
+ certificate profile.
+
+ The latter two test cases are implemented in this module
+ as not to replicate the fixtures to cert plugin test module.
+ """
+
+ def test_cert_import(self, smime_profile):
+ smime_profile.ensure_exists()
+
+ def test_create_acl(self, smime_acl):
+ smime_acl.ensure_exists()
+
+ def test_create_subca(self, smime_signing_ca):
+ smime_signing_ca.ensure_exists()
+
+ def test_add_profile_to_acl(self, smime_acl, smime_profile):
+ smime_acl.add_profile(certprofile=smime_profile.name)
+
+ def test_add_subca_to_acl(self, smime_acl, smime_signing_ca):
+ smime_acl.add_ca(smime_signing_ca.name)
+
+ # rewrite to trackers, prepare elsewhere
+ def test_add_user_to_group(self, smime_group, smime_user):
+ api.Command.group_add_member(smime_group, user=smime_user)
+
+ def test_add_group_to_acl(self, smime_group, smime_acl):
+ smime_acl.add_user(group=smime_group)
+
+ def test_sign_smime_csr(self, smime_profile, smime_user, smime_signing_ca):
+ csr = generate_user_csr(smime_user)
+ with change_principal(smime_user, SMIME_USER_PW):
+ api.Command.cert_request(csr, principal=smime_user,
+ profile_id=smime_profile.name,
+ cacn=smime_signing_ca.name)
+
+ def test_sign_smime_csr_full_principal(
+ self, smime_profile, smime_user, smime_signing_ca):
+ csr = generate_user_csr(smime_user)
+ smime_user_principal = '@'.join((smime_user, api.env.realm))
+ with change_principal(smime_user, SMIME_USER_PW):
+ api.Command.cert_request(csr, principal=smime_user_principal,
+ profile_id=smime_profile.name,
+ cacn=smime_signing_ca.name)
+
+ def test_verify_cert_issuer_dn_is_subca(
+ self, smime_profile, smime_user, smime_signing_ca):
+ csr = generate_user_csr(smime_user)
+ smime_user_principal = '@'.join((smime_user, api.env.realm))
+ with change_principal(smime_user, SMIME_USER_PW):
+ cert_info = api.Command.cert_request(
+ csr, principal=smime_user_principal,
+ profile_id=smime_profile.name, cacn=smime_signing_ca.name)
+
+ assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn
+
+ def test_sign_smime_csr_fallback_to_default_CA(
+ self, smime_profile, smime_user, smime_signing_ca):
+ """ Attempt to sign a CSR without CA specified.
+
+ The request will satisfy SMIME_ACL via the profile ID,
+ however not specifying the CA will fallback to the IPA CA
+ for which SMIME profile isn't enabled, thus violating ACL.
+ """
+ csr = generate_user_csr(smime_user)
+ smime_user_principal = '@'.join((smime_user, api.env.realm))
+
+ with pytest.raises(errors.ACIError):
+ with change_principal(smime_user, SMIME_USER_PW):
+ api.Command.cert_request(csr, principal=smime_user_principal,
+ profile_id=smime_profile.name)
+
+ def test_sign_smime_csr_fallback_to_default_cert_profile(
+ self, smime_profile, smime_user, smime_signing_ca):
+ """ Attempt to sign a CSR without certificate profile specified.
+
+ Similar to previous test case.
+ By specifying only the CA to use, profile will fallback to
+ the default caIPAserviceCert profile which is not enabled
+ via ACL to be used with the CA, thus failing the request.
+ """
+ csr = generate_user_csr(smime_user)
+ smime_user_principal = '@'.join((smime_user, api.env.realm))
+
+ with pytest.raises(errors.ACIError):
+ with change_principal(smime_user, SMIME_USER_PW):
+ api.Command.cert_request(csr, principal=smime_user_principal,
+ cacn=smime_signing_ca.name)