diff options
author | Milan KubĂk <mkubik@redhat.com> | 2016-06-21 15:57:58 +0200 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2016-07-12 10:55:50 +0200 |
commit | d88a12f1f59640bb6593169aa4c7ea204af18cee (patch) | |
tree | d99993c9f6ed02c323435c82b97cbb4f52fa3aab | |
parent | 5b37aaad7718bd0214053fd2e758ba7dc332e21d (diff) | |
download | freeipa-d88a12f1f59640bb6593169aa4c7ea204af18cee.tar.gz freeipa-d88a12f1f59640bb6593169aa4c7ea204af18cee.tar.xz freeipa-d88a12f1f59640bb6593169aa4c7ea204af18cee.zip |
ipatests: Test Sub CA with CAACL and certificate profile
Test the Sub CA feature by signing a CSR with custom
certificate profile.
The test also covers 'cert-request' fallback behaviour
for missing 'cacn' and 'profile-id' options by reusing
the fixtures from the module.
https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
-rw-r--r-- | ipatests/test_xmlrpc/test_caacl_profile_enforcement.py | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py b/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py index 11c040966..a70d81d88 100644 --- a/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py +++ b/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py @@ -15,6 +15,7 @@ from ipatests.util import ( from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test from ipatests.test_xmlrpc.tracker.certprofile_plugin import CertprofileTracker from ipatests.test_xmlrpc.tracker.caacl_plugin import CAACLTracker +from ipatests.test_xmlrpc.tracker.ca_plugin import CATracker from ipapython.ipautil import run @@ -250,3 +251,112 @@ class TestSignWithChangedProfile(XMLRPC_test): with pytest.raises(errors.CertificateOperationError): api.Command.cert_request(csr, principal=smime_user, profile_id=smime_profile.name) + + +@pytest.fixture(scope='class') +def smime_signing_ca(request): + name = u'smime-signing-ca' + subject = u'CN=SMIME CA,O=test industries Inc.' + return CATracker(name, subject).make_fixture(request) + + +@pytest.mark.tier1 +class TestCertSignMIMEwithSubCA(XMLRPC_test): + """ Test Certificate Signing with Sub CA + + The test covers following areas: + + * signing a CSR with custom certificate profile + using a designated Sub CA + * Verify that the Issuer of the signed certificate + is the reqested CA + * Verify that when not set, cert-request uses the default CA. + This it verified by violating an ACL + * Verify that when not set, cert-request uses the default + certificate profile. + + The latter two test cases are implemented in this module + as not to replicate the fixtures to cert plugin test module. + """ + + def test_cert_import(self, smime_profile): + smime_profile.ensure_exists() + + def test_create_acl(self, smime_acl): + smime_acl.ensure_exists() + + def test_create_subca(self, smime_signing_ca): + smime_signing_ca.ensure_exists() + + def test_add_profile_to_acl(self, smime_acl, smime_profile): + smime_acl.add_profile(certprofile=smime_profile.name) + + def test_add_subca_to_acl(self, smime_acl, smime_signing_ca): + smime_acl.add_ca(smime_signing_ca.name) + + # rewrite to trackers, prepare elsewhere + def test_add_user_to_group(self, smime_group, smime_user): + api.Command.group_add_member(smime_group, user=smime_user) + + def test_add_group_to_acl(self, smime_group, smime_acl): + smime_acl.add_user(group=smime_group) + + def test_sign_smime_csr(self, smime_profile, smime_user, smime_signing_ca): + csr = generate_user_csr(smime_user) + with change_principal(smime_user, SMIME_USER_PW): + api.Command.cert_request(csr, principal=smime_user, + profile_id=smime_profile.name, + cacn=smime_signing_ca.name) + + def test_sign_smime_csr_full_principal( + self, smime_profile, smime_user, smime_signing_ca): + csr = generate_user_csr(smime_user) + smime_user_principal = '@'.join((smime_user, api.env.realm)) + with change_principal(smime_user, SMIME_USER_PW): + api.Command.cert_request(csr, principal=smime_user_principal, + profile_id=smime_profile.name, + cacn=smime_signing_ca.name) + + def test_verify_cert_issuer_dn_is_subca( + self, smime_profile, smime_user, smime_signing_ca): + csr = generate_user_csr(smime_user) + smime_user_principal = '@'.join((smime_user, api.env.realm)) + with change_principal(smime_user, SMIME_USER_PW): + cert_info = api.Command.cert_request( + csr, principal=smime_user_principal, + profile_id=smime_profile.name, cacn=smime_signing_ca.name) + + assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn + + def test_sign_smime_csr_fallback_to_default_CA( + self, smime_profile, smime_user, smime_signing_ca): + """ Attempt to sign a CSR without CA specified. + + The request will satisfy SMIME_ACL via the profile ID, + however not specifying the CA will fallback to the IPA CA + for which SMIME profile isn't enabled, thus violating ACL. + """ + csr = generate_user_csr(smime_user) + smime_user_principal = '@'.join((smime_user, api.env.realm)) + + with pytest.raises(errors.ACIError): + with change_principal(smime_user, SMIME_USER_PW): + api.Command.cert_request(csr, principal=smime_user_principal, + profile_id=smime_profile.name) + + def test_sign_smime_csr_fallback_to_default_cert_profile( + self, smime_profile, smime_user, smime_signing_ca): + """ Attempt to sign a CSR without certificate profile specified. + + Similar to previous test case. + By specifying only the CA to use, profile will fallback to + the default caIPAserviceCert profile which is not enabled + via ACL to be used with the CA, thus failing the request. + """ + csr = generate_user_csr(smime_user) + smime_user_principal = '@'.join((smime_user, api.env.realm)) + + with pytest.raises(errors.ACIError): + with change_principal(smime_user, SMIME_USER_PW): + api.Command.cert_request(csr, principal=smime_user_principal, + cacn=smime_signing_ca.name) |