127 lines
3.7 KiB
Python
127 lines
3.7 KiB
Python
#
|
|
# Copyright (C) 2022 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
"""
|
|
Module provides tests for ipa-client-install with PKINIT
|
|
"""
|
|
import os
|
|
|
|
from ipaplatform.paths import paths
|
|
from ipatests.test_integration.base import IntegrationTest
|
|
from ipatests.pytest_ipa.integration import tasks
|
|
|
|
|
|
class TestPkinitClientInstall(IntegrationTest):
|
|
num_clients = 1
|
|
|
|
certfile = "/etc/pki/tls/certs/client.pem"
|
|
keyfile = "/etc/pki/tls/private/client.key"
|
|
tmpbundle = "/tmp/kdc-ca-bundle.pme"
|
|
|
|
@classmethod
|
|
def install(cls, mh):
|
|
tasks.install_master(cls.master)
|
|
|
|
def enforce_password_and_otp(self):
|
|
"""enforce otp by default and password for admin """
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"config-mod",
|
|
"--user-auth-type=otp",
|
|
]
|
|
)
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"user-mod",
|
|
"admin",
|
|
"--user-auth-type=password",
|
|
]
|
|
)
|
|
|
|
def add_certmaperule(self):
|
|
"""add certmap rule to map SAN dNSName to host entry"""
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"certmaprule-add",
|
|
"pkinit-host",
|
|
"--matchrule=<ISSUER>CN=Certificate Authority,.*",
|
|
"--maprule=(fqdn={subject_dns_name})",
|
|
]
|
|
)
|
|
|
|
def add_host(self):
|
|
"""Add host entry for client
|
|
|
|
Allow master to manage client so it can create a certificate.
|
|
"""
|
|
client = self.clients[0]
|
|
self.master.run_command(
|
|
["ipa", "host-add", "--force", client.hostname]
|
|
)
|
|
self.master.run_command(
|
|
[
|
|
"ipa",
|
|
"host-add-managedby",
|
|
f"--hosts={self.master.hostname}",
|
|
client.hostname,
|
|
]
|
|
)
|
|
|
|
def create_cert(self):
|
|
"""Create and copy certificate for client"""
|
|
client = self.clients[0]
|
|
self.master.run_command(
|
|
[
|
|
"mkdir",
|
|
"-p",
|
|
os.path.dirname(self.certfile),
|
|
os.path.dirname(self.keyfile),
|
|
]
|
|
)
|
|
self.master.run_command(
|
|
[
|
|
"ipa-getcert",
|
|
"request",
|
|
"-w",
|
|
# fmt: off
|
|
"-f", self.certfile,
|
|
"-k", self.keyfile,
|
|
"-N", client.hostname,
|
|
"-D", client.hostname,
|
|
"-K", f"host/{client.hostname}",
|
|
# fmt: on
|
|
]
|
|
)
|
|
# copy cert, key, and bundle to client
|
|
for filename in (self.certfile, self.keyfile):
|
|
data = self.master.get_file_contents(filename)
|
|
client.put_file_contents(filename, data)
|
|
|
|
cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM)
|
|
client.put_file_contents(self.tmpbundle, cabundle)
|
|
|
|
def test_restart_krb5kdc(self):
|
|
tasks.kinit_admin(self.master)
|
|
self.enforce_password_and_otp()
|
|
self.master.run_command(['systemctl', 'stop', 'krb5kdc.service'])
|
|
self.master.run_command(['systemctl', 'start', 'krb5kdc.service'])
|
|
self.master.run_command(['systemctl', 'stop', 'kadmin.service'])
|
|
self.master.run_command(['systemctl', 'start', 'kadmin.service'])
|
|
|
|
def test_client_install_pkinit(self):
|
|
tasks.kinit_admin(self.master)
|
|
self.add_certmaperule()
|
|
self.add_host()
|
|
self.create_cert()
|
|
|
|
tasks.install_client(
|
|
self.master,
|
|
self.clients[0],
|
|
pkinit_identity=f"FILE:{self.certfile},{self.keyfile}",
|
|
extra_args=[f"--pkinit-anchor=FILE:{self.tmpbundle}"],
|
|
)
|