Test external CA with DNS name constraints

Verify that FreeIPA can be installed with an external CA that has a name constraints extension. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
author: Christian Heimes <cheimes@redhat.com> 2019-08-06 09:56:35 +0200
committer: Christian Heimes <cheimes@redhat.com> 2019-08-06 12:39:46 +0200
commit: 69138c848d605ddcb997c8d3f6d51ebdc561c8a6 (patch)
tree: 3cb97e40ba352cbd28cb7b0c6a964ac36de79b24
parent: adcf04255cb24564230604469ae34c180e057dfa (diff)
download: freeipa-69138c848d605ddcb997c8d3f6d51ebdc561c8a6.tar.gz
freeipa-69138c848d605ddcb997c8d3f6d51ebdc561c8a6.tar.xz
freeipa-69138c848d605ddcb997c8d3f6d51ebdc561c8a6.zip
8 files changed, 44 insertions, 8 deletions
diff --git a/ipatests/create_external_ca.py b/ipatests/create_external_ca.py
index a318b8090..7d14fdcf2 100644
--- a/ipatests/create_external_ca.py
+++ b/ipatests/create_external_ca.py
@@ -63,7 +63,7 @@ class ExternalCA:
             backend=default_backend(),
         )
 
-    def create_ca(self, cn=ISSUER_CN, path_length=None):
+    def create_ca(self, cn=ISSUER_CN, path_length=None, extensions=()):
         """Create root CA.
 
         :returns: bytes -- Root CA in PEM format.
@@ -114,6 +114,9 @@ class ExternalCA:
             critical=False,
         )
 
+        for extension in extensions:
+            builder = builder.add_extension(extension, critical=False)
+
         cert = builder.sign(self.ca_key, hashes.SHA256(), default_backend())
 
         return cert.public_bytes(serialization.Encoding.PEM)
diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
index 81fa4bba1..990797eee 100644
--- a/ipatests/prci_definitions/gating.yaml
+++ b/ipatests/prci_definitions/gating.yaml
@@ -70,7 +70,7 @@ jobs:
       class: RunPytest
       args:
         build_url: '{fedora-30/build_url}'
-        test_suite: test_integration/test_external_ca.py::TestExternalCA
+        test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestExternalCAConstraints
         template: *ci-master-f30
         timeout: 4800
         topology: *master_1repl_1client
diff --git a/ipatests/prci_definitions/nightly_f28.yaml b/ipatests/prci_definitions/nightly_f28.yaml
index a1458e566..1a066d08d 100644
--- a/ipatests/prci_definitions/nightly_f28.yaml
+++ b/ipatests/prci_definitions/nightly_f28.yaml
@@ -58,7 +58,7 @@ jobs:
       class: RunPytest
       args:
         build_url: '{fedora-28/build_url}'
-        test_suite: test_integration/test_external_ca.py::TestExternalCA
+        test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestExternalCAConstraints
         template: *ci-master-f28
         timeout: 4800
         topology: *master_1repl_1client
diff --git a/ipatests/prci_definitions/nightly_f29.yaml b/ipatests/prci_definitions/nightly_f29.yaml
index 3b0cd0476..b88d21b97 100644
--- a/ipatests/prci_definitions/nightly_f29.yaml
+++ b/ipatests/prci_definitions/nightly_f29.yaml
@@ -62,7 +62,7 @@ jobs:
       class: RunPytest
       args:
         build_url: '{fedora-29/build_url}'
-        test_suite: test_integration/test_external_ca.py::TestExternalCA
+        test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestExternalCAConstraints
         template: *ci-master-f29
         timeout: 4800
         topology: *master_1repl_1client
diff --git a/ipatests/prci_definitions/nightly_master.yaml b/ipatests/prci_definitions/nightly_master.yaml
index 17e5ac78f..c1aac2ca5 100644
--- a/ipatests/prci_definitions/nightly_master.yaml
+++ b/ipatests/prci_definitions/nightly_master.yaml
@@ -62,7 +62,7 @@ jobs:
       class: RunPytest
       args:
         build_url: '{fedora-30/build_url}'
-        test_suite: test_integration/test_external_ca.py::TestExternalCA
+        test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestExternalCAConstraints
         template: *ci-master-f30
         timeout: 4800
         topology: *master_1repl_1client
diff --git a/ipatests/prci_definitions/nightly_rawhide.yaml b/ipatests/prci_definitions/nightly_rawhide.yaml
index 39564f85b..8d2e862a9 100644
--- a/ipatests/prci_definitions/nightly_rawhide.yaml
+++ b/ipatests/prci_definitions/nightly_rawhide.yaml
@@ -62,7 +62,7 @@ jobs:
       class: RunPytest
       args:
         build_url: '{fedora-rawhide/build_url}'
-        test_suite: test_integration/test_external_ca.py::TestExternalCA
+        test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestExternalCAConstraints
         template: *ci-master-frawhide
         timeout: 4800
         topology: *master_1repl_1client
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 5963cd77a..d09a67968 100644
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -1696,7 +1696,7 @@ def add_dns_zone(master, zone, skip_overlap_check=False,
 
 def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name,
                           root_ca_path_length=None, ipa_ca_path_length=1,
-                          key_size=None,):
+                          key_size=None, root_ca_extensions=()):
     """
     Sign ipa csr and save signed CA together with root CA back to the host.
     Returns root CA and IPA CA paths on the host.
@@ -1709,7 +1709,10 @@ def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name,
 
     external_ca = ExternalCA(key_size=key_size)
     # Create root CA
-    root_ca = external_ca.create_ca(path_length=root_ca_path_length)
+    root_ca = external_ca.create_ca(
+        path_length=root_ca_path_length,
+        extensions=root_ca_extensions,
+    )
     # Sign CSR
     ipa_ca = external_ca.sign_csr(ipa_csr, path_length=ipa_ca_path_length)
 
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index 714aebd4a..e212b682f 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -190,6 +190,36 @@ class TestExternalCA(IntegrationTest):
              '-U'])
 
 
+class TestExternalCAConstraints(IntegrationTest):
+    """Test of FreeIPA server installation with external CA and constraints
+    """
+    num_replicas = 0
+    num_clients = 1
+
+    def test_external_ca_constrained(self):
+        install_server_external_ca_step1(self.master)
+
+        # name constraints for IPA DNS domain (dot prefix)
+        nameconstraint = x509.NameConstraints(
+            permitted_subtrees=[
+                x509.DNSName("." + self.master.domain.name),
+            ],
+            excluded_subtrees=None
+        )
+
+        root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
+            self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA,
+            root_ca_extensions=[nameconstraint],
+        )
+
+        install_server_external_ca_step2(
+            self.master, ipa_ca_fname, root_ca_fname
+        )
+
+        tasks.kinit_admin(self.master)
+        self.master.run_command(['ipa', 'ping'])
+
+
 def verify_caentry(host, cert):
     """
     Verify the content of cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,basedn
author	Christian Heimes <cheimes@redhat.com>	2019-08-06 09:56:35 +0200
committer	Christian Heimes <cheimes@redhat.com>	2019-08-06 12:39:46 +0200
commit	69138c848d605ddcb997c8d3f6d51ebdc561c8a6 (patch)
tree	3cb97e40ba352cbd28cb7b0c6a964ac36de79b24
parent	adcf04255cb24564230604469ae34c180e057dfa (diff)
download	freeipa-69138c848d605ddcb997c8d3f6d51ebdc561c8a6.tar.gz freeipa-69138c848d605ddcb997c8d3f6d51ebdc561c8a6.tar.xz freeipa-69138c848d605ddcb997c8d3f6d51ebdc561c8a6.zip