Imported Debian patch 4.8.10-2

ipatests/test_integration/test_external_ca.py

@@ -22,9 +22,14 @@ import re
 import time
 import tempfile
 
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+
 from ipatests.pytest_ipa.integration import tasks
 from ipatests.test_integration.base import IntegrationTest
+from ipalib import x509 as ipa_x509
 from ipaplatform.paths import paths
+from ipapython.dn import DN
 
 from itertools import chain, repeat
 from ipatests.create_external_ca import ExternalCA, ISSUER_CN
@@ -46,7 +51,7 @@ def check_CA_flag(host, nssdb=paths.PKI_TOMCAT_ALIAS_DIR,
     text = result.stdout_text
 
     # match CN in cert nickname and C flag in SSL section of NSS flags table
-    match_CA_flag = re.compile('.*{}.*\s+C'.format(cn))
+    match_CA_flag = re.compile(r'.*{}.*\s+C'.format(cn))
     match = re.search(match_CA_flag, text)
 
     return match
@@ -69,20 +74,23 @@ def match_in_journal(host, string, since='today', services=('certmonger',)):
     return match
 
 
-def install_server_external_ca_step1(host):
+def install_server_external_ca_step1(host, extra_args=(), raiseonerr=True):
     """Step 1 to install the ipa server with external ca"""
-    return tasks.install_master(host, external_ca=True)
+    return tasks.install_master(
+        host, external_ca=True, extra_args=extra_args, raiseonerr=raiseonerr,
+    )
 
 
-def install_server_external_ca_step2(host, ipa_ca_cert, root_ca_cert):
+def install_server_external_ca_step2(host, ipa_ca_cert, root_ca_cert,
+                                     raiseonerr=True):
     """Step 2 to install the ipa server with external ca"""
-    args = ['ipa-server-install',
+    args = ['ipa-server-install', '-U', '-r', host.domain.realm,
             '-a', host.config.admin_password,
             '-p', host.config.dirman_password,
             '--external-cert-file', ipa_ca_cert,
             '--external-cert-file', root_ca_cert]
 
-    cmd = host.run_command(args)
+    cmd = host.run_command(args, raiseonerr=raiseonerr)
     return cmd
 
 
@@ -95,6 +103,21 @@ def service_control_dirsrv(host, function):
     assert cmd.returncode == 0
 
 
+def check_ipaca_issuerDN(host, expected_dn):
+    result = host.run_command(['ipa', 'ca-show', 'ipa'])
+    assert "Issuer DN: {}".format(expected_dn) in result.stdout_text
+
+
+def check_mscs_extension(ipa_csr, template):
+    csr = x509.load_pem_x509_csr(ipa_csr, default_backend())
+    extensions = [
+        ext for ext in csr.extensions
+        if ext.oid.dotted_string == template.ext_oid
+    ]
+    assert extensions
+    assert extensions[0].value.value == template.get_ext_data()
+
+
 class TestExternalCA(IntegrationTest):
     """
     Test of FreeIPA server installation with external CA
@@ -104,9 +127,15 @@ class TestExternalCA(IntegrationTest):
 
     def test_external_ca(self):
         # Step 1 of ipa-server-install.
-        result = install_server_external_ca_step1(self.master)
+        result = install_server_external_ca_step1(
+            self.master, extra_args=['--external-ca-type=ms-cs']
+        )
         assert result.returncode == 0
 
+        # check CSR for extension
+        ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
+        check_mscs_extension(ipa_csr, ipa_x509.MSCSTemplateV1(u'SubCA'))
+
         # Sign CA, transport it to the host and get ipa a root ca paths.
         root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
             self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
@@ -125,17 +154,11 @@ class TestExternalCA(IntegrationTest):
         tasks.install_replica(self.master, self.replicas[0])
 
         # check that nsds5ReplicaReleaseTimeout option was set
-        result = self.master.run_command([
-            'ldapsearch',
-            '-x',
-            '-D',
-            'cn=directory manager',
-            '-w', self.master.config.dirman_password,
-            '-b', 'cn=mapping tree,cn=config',
-            '(cn=replica)',
-            '-LLL',
-            '-o',
-            'ldif-wrap=no'])
+        result = tasks.ldapsearch_dm(
+            self.master,
+            'cn=mapping tree,cn=config',
+            ['(cn=replica)'],
+        )
         # case insensitive match
         text = result.stdout_text.lower()
         # see ipaserver.install.replication.REPLICA_FINAL_SETTINGS
@@ -167,6 +190,62 @@ class TestExternalCA(IntegrationTest):
              '-U'])
 
 
+class TestExternalCAConstraints(IntegrationTest):
+    """Test of FreeIPA server installation with external CA and constraints
+    """
+    num_replicas = 0
+    num_clients = 1
+
+    def test_external_ca_constrained(self):
+        install_server_external_ca_step1(self.master)
+
+        # name constraints for IPA DNS domain (dot prefix)
+        nameconstraint = x509.NameConstraints(
+            permitted_subtrees=[
+                x509.DNSName("." + self.master.domain.name),
+            ],
+            excluded_subtrees=None
+        )
+
+        root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
+            self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA,
+            root_ca_extensions=[nameconstraint],
+        )
+
+        install_server_external_ca_step2(
+            self.master, ipa_ca_fname, root_ca_fname
+        )
+
+        tasks.kinit_admin(self.master)
+        self.master.run_command(['ipa', 'ping'])
+
+
+def verify_caentry(host, cert):
+    """
+    Verify the content of cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,basedn
+    and make sure that ipaConfigString contains the expected values.
+    Verify the content of cn=cacert,cn=certificates,cn=ipa,cn=etc,basedn
+    and make sure that it contains the expected certificate.
+    """
+    # Check the LDAP entry
+    ldap = host.ldap_connect()
+    # cn=DOMAIN IPA CA must contain ipaConfigString: ipaCa, compatCA
+    ca_nick = '{} IPA CA'.format(host.domain.realm)
+    entry = ldap.get_entry(DN(('cn', ca_nick), ('cn', 'certificates'),
+                              ('cn', 'ipa'), ('cn', 'etc'),
+                              host.domain.basedn))
+    ipaconfigstring = [x.lower() for x in entry.get('ipaconfigstring')]
+    expected = ['compatca', 'ipaca']
+    assert expected == sorted(ipaconfigstring)
+
+    # cn=cacert,cn=certificates,cn=etc,basedn must contain the latest
+    # IPA CA
+    entry2 = ldap.get_entry(DN(('cn', 'CACert'), ('cn', 'ipa'),
+                               ('cn', 'etc'), host.domain.basedn))
+    cert_from_ldap = entry2.single_value['cACertificate']
+    assert cert == cert_from_ldap
+
+
 class TestSelfExternalSelf(IntegrationTest):
     """
     Test self-signed > external CA > self-signed test case.
@@ -175,6 +254,11 @@ class TestSelfExternalSelf(IntegrationTest):
         result = tasks.install_master(self.master)
         assert result.returncode == 0
 
+        # Check the content of the ldap entries for the CA
+        remote_cacrt = self.master.get_file_contents(paths.IPA_CA_CRT)
+        cacrt = ipa_x509.load_pem_x509_certificate(remote_cacrt)
+        verify_caentry(self.master, cacrt)
+
     def test_switch_to_external_ca(self):
 
         result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
@@ -201,14 +285,18 @@ class TestSelfExternalSelf(IntegrationTest):
         result = check_CA_flag(self.master)
         assert bool(result), ('External CA does not have "C" flag')
 
+        # Check that ldap entries for the CA have been updated
+        remote_cacrt = self.master.get_file_contents(ipa_ca_fname)
+        cacrt = ipa_x509.load_pem_x509_certificate(remote_cacrt)
+        verify_caentry(self.master, cacrt)
+
     def test_issuerDN_after_renew_to_external(self):
         """ Check if issuer DN is updated after self-signed > external-ca
 
         This test checks if issuer DN is updated properly after CA is
         renewed from self-signed to external-ca
         """
-        result = self.master.run_command(['ipa', 'ca-show', 'ipa'])
-        assert "Issuer DN: CN={}".format(ISSUER_CN) in result.stdout_text
+        check_ipaca_issuerDN(self.master, "CN={}".format(ISSUER_CN))
 
     def test_switch_back_to_self_signed(self):
 
@@ -234,6 +322,16 @@ class TestSelfExternalSelf(IntegrationTest):
         result = self.master.run_command([paths.IPA_CERTUPDATE])
         assert result.returncode == 0
 
+    def test_issuerDN_after_renew_to_self_signed(self):
+        """ Check if issuer DN is updated after external-ca > self-signed
+
+        This test checks if issuer DN is updated properly after CA is
+        renewed back from external-ca to self-signed
+        """
+        issuer_dn = 'CN=Certificate Authority,O={}'.format(
+            self.master.domain.realm)
+        check_ipaca_issuerDN(self.master, issuer_dn)
+
 
 class TestExternalCAdirsrvStop(IntegrationTest):
     """When the dirsrv service, which gets started during the first
@@ -302,6 +400,35 @@ class TestExternalCAInvalidCert(IntegrationTest):
         result = self.master.run_command(cmd, raiseonerr=False)
         assert result.returncode == 1
 
+    def test_external_ca_with_too_small_key(self):
+        # reuse the existing deployment and renewal CSR
+        root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
+            self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA, key_size=1024)
+
+        cmd = [
+            paths.IPA_CACERT_MANAGE, 'renew',
+            '--external-cert-file', ipa_ca_fname,
+            '--external-cert-file', root_ca_fname,
+        ]
+        result = self.master.run_command(cmd, raiseonerr=False)
+        assert result.returncode == 1
+
+
+class TestExternalCAInvalidIntermediate(IntegrationTest):
+    """Test case for https://pagure.io/freeipa/issue/7877"""
+
+    def test_invalid_intermediate(self):
+        install_server_external_ca_step1(self.master)
+        root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
+            self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA,
+            root_ca_path_length=0
+        )
+        result = install_server_external_ca_step2(
+            self.master, ipa_ca_fname, root_ca_fname, raiseonerr=False
+        )
+        assert result.returncode > 0
+        assert "basic contraint pathlen" in result.stderr_text
+
 
 class TestExternalCAInstall(IntegrationTest):
     """install CA cert manually """
@@ -381,3 +508,114 @@ class TestMultipleExternalCA(IntegrationTest):
             'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
             '-n', cert_nick])
         assert "CN=RootCA2" in result.stdout_text
+
+
+def _step1_profile(master, s):
+    return install_server_external_ca_step1(
+        master,
+        extra_args=['--external-ca-type=ms-cs', f'--external-ca-profile={s}'],
+        raiseonerr=False,
+    )
+
+
+def _test_invalid_profile(master, profile):
+    result = _step1_profile(master, profile)
+    assert result.returncode != 0
+    assert '--external-ca-profile' in result.stderr_text
+
+
+def _test_valid_profile(master, profile_cls, profile):
+    result = _step1_profile(master, profile)
+    assert result.returncode == 0
+    ipa_csr = master.get_file_contents(paths.ROOT_IPA_CSR)
+    check_mscs_extension(ipa_csr, profile_cls(profile))
+
+
+class TestExternalCAProfileScenarios(IntegrationTest):
+    """
+    Test the various --external-ca-profile scenarios.
+    This test is broken into sections, with each section first
+    testing invalid arguments, then a valid argument, and finally
+    uninstalling the half-installed IPA.
+
+    """
+
+    '''
+    Tranche 1: version 1 templates.
+
+    Test that --external-ca-profile=Foo gets propagated to the CSR.
+
+    The default template extension when --external-ca-type=ms-cs,
+    a V1 extension with value "SubCA", already gets tested by the
+    ``TestExternalCA`` class.
+
+    We only need to do Step 1 of installation, then check the CSR.
+
+    '''
+    def test_invalid_v1_template(self):
+        _test_invalid_profile(self.master, 'NotAnOid:1')
+
+    def test_valid_v1_template(self):
+        _test_valid_profile(
+            self.master, ipa_x509.MSCSTemplateV1, 'TemplateOfAwesome')
+
+    def test_uninstall_1(self):
+        tasks.uninstall_master(self.master)
+
+    '''
+    Tranche 2: V2 templates without minor version.
+
+    Test that V2 template specifiers without minor version get
+    propagated to CSR.  This class also tests all error modes in
+    specifying a V2 template, those being:
+
+    - no major version specified
+    - too many parts specified (i.e. major, minor, and then some more)
+    - major version is not an int
+    - major version is negative
+    - minor version is not an int
+    - minor version is negative
+
+    We only need to do Step 1 of installation, then check the CSR.
+
+    '''
+    def test_v2_template_too_few_parts(self):
+        _test_invalid_profile(self.master, '1.2.3.4')
+
+    def test_v2_template_too_many_parts(self):
+        _test_invalid_profile(self.master, '1.2.3.4:100:200:300')
+
+    def test_v2_template_major_version_not_int(self):
+        _test_invalid_profile(self.master, '1.2.3.4:wat:200')
+
+    def test_v2_template_major_version_negative(self):
+        _test_invalid_profile(self.master, '1.2.3.4:-1:200')
+
+    def test_v2_template_minor_version_not_int(self):
+        _test_invalid_profile(self.master, '1.2.3.4:100:wat')
+
+    def test_v2_template_minor_version_negative(self):
+        _test_invalid_profile(self.master, '1.2.3.4:100:-2')
+
+    def test_v2_template_valid_major_only(self):
+        _test_valid_profile(
+            self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100')
+
+    def test_uninstall_2(self):
+        tasks.uninstall_master(self.master)
+
+    '''
+    Tranche 3: V2 templates with minor version.
+
+    Test that V2 template specifiers _with_ minor version get
+    propagated to CSR.  All error modes of V2 template specifiers
+    were tested in ``TestExternalCAProfileV2Major``.
+
+    We only need to do Step 1 of installation, then check the CSR.
+
+    '''
+    def test_v2_template_valid_major_minor(self):
+        _test_valid_profile(
+            self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100:200')
+
+    # this is the end; no need to uninstall.