Skip to content

Commit

Permalink
Merge branch 'master' of https://github.com/freeipa/freeipa
Browse files Browse the repository at this point in the history
  • Loading branch information
root committed Nov 27, 2024
2 parents 2488a56 + c8befc9 commit 3011ec1
Show file tree
Hide file tree
Showing 2 changed files with 61 additions and 15 deletions.
37 changes: 25 additions & 12 deletions ipatests/test_integration/test_acme.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
)
from ipaplatform.osinfo import osinfo
from ipaplatform.paths import paths
from ipapython.dn import DN
from ipatests.test_integration.test_external_ca import (
install_server_external_ca_step1,
install_server_external_ca_step2,
Expand Down Expand Up @@ -144,6 +145,15 @@ def certbot_standalone_cert(host, acme_server, no_of_cert=1):
)


def get_389ds_backend(host):
""" Return the backend type used by 389ds (either 'bdb' or 'lmdb')"""
conn = host.ldap_connect()
entry = conn.get_entry(
DN('cn=config,cn=ldbm database,cn=plugins,cn=config'))
backend = entry.single_value.get('nsslapd-backend-implement')
return backend


class TestACME(CALessBase):
"""
Test the FreeIPA ACME service by using ACME clients on a FreeIPA client.
Expand Down Expand Up @@ -397,21 +407,22 @@ def test_centralize_acme_disable(self):
assert status == 'disabled'

def test_acme_pruning_no_random_serial(self):
"""This ACME install is configured without random serial
"""BDB install is configured without random serial
numbers. Verify that we can't enable pruning on it.
This test is located here because by default installs
don't enable RSNv3.
"""
if (tasks.get_pki_version(self.master)
< tasks.parse_version('11.3.0')):
raise pytest.skip("Certificate pruning is not available")
self.master.run_command(['ipa-acme-manage', 'enable'])
result = self.master.run_command(
['ipa-acme-manage', 'pruning', '--enable'],
raiseonerr=False)
assert result.returncode == 1
assert "requires random serial numbers" in result.stderr_text

# This test is only relevant with BDB backend
# as with LMDB, the installer now enable RSNv3 and cert pruning
if get_389ds_backend(self.master) == 'bdb':
result = self.master.run_command(
['ipa-acme-manage', 'pruning', '--enable'],
raiseonerr=False)
assert result.returncode == 1
assert "requires random serial numbers" in result.stderr_text

@server_install_teardown
def test_third_party_certs(self):
Expand Down Expand Up @@ -707,10 +718,12 @@ def test_enable_pruning(self):
if (tasks.get_pki_version(self.master)
< tasks.parse_version('11.3.0')):
raise pytest.skip("Certificate pruning is not available")
cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
assert "jobsScheduler.job.pruning.enabled=false".encode() in cs_cfg

self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
# Pruning is enabled by default when the host supports lmdb
if get_389ds_backend(self.master) == 'bdb':
cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
assert "jobsScheduler.job.pruning.enabled=false".encode() in cs_cfg
self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])

cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
assert "jobsScheduler.enabled=true".encode() in cs_cfg
Expand Down
39 changes: 36 additions & 3 deletions ipatests/test_webui/test_cert.py
Original file line number Diff line number Diff line change
Expand Up @@ -93,15 +93,32 @@ def _add_and_revoke_cert(self, reason='1'):
csr = generate_csr(hostname)

self.navigate_to_entity(ENTITY)

# Save the existing cert serials before the new one is added
# the test will compare before/after in order to find the serial
# of the newly generated certificate
result = self.execute_api_from_ui('cert_find', [], {})
certs = result['result']['result']
before = [cert["serial_number"] for cert in certs]

self.facet_button_click('request_cert')
self.fill_textbox('principal', 'HTTP/{}'.format(hostname))
self.check_option('add', 'checked')
self.fill_textarea('csr', csr)
self.dialog_button_click('issue')
self.assert_notification(assert_text='Certificate requested')
self.navigate_to_entity(ENTITY)

# Save the existing cert serials after the new one is added
result = self.execute_api_from_ui('cert_find', [], {})
certs = result['result']['result']
after = [cert["serial_number"] for cert in certs]
new_serial = [serial for serial in after if serial not in before]
# Find the cert that was jsut generated
index = after.index(new_serial[0])

rows = self.get_rows()
cert = rows[-1]
cert = rows[index]

self.navigate_to_row_record(cert)
self.action_list_action('revoke_cert', False)
Expand Down Expand Up @@ -212,10 +229,18 @@ def test_search_minimum_serial(self):
# try searching using -1
check_minimum_serial(self, '-1', 'min_serial_number')

# Find the highest serial number and add 1 to be sure there is no
# cert with a higher serial number
result = self.execute_api_from_ui('cert_find', [], {})
certs = result['result']['result']
serials = [int(cert["serial_number_hex"], 0) for cert in certs]
serials.sort()
highest_serial = str(serials[-1] + 1)

# try using higher value than no. of certs present
self.navigate_to_entity(ENTITY)
self.select('select[name=search_option]', 'min_serial_number')
search_pkey(self, '99')
search_pkey(self, highest_serial)
rows = self.get_rows()
assert len(rows) == 0

Expand All @@ -226,8 +251,16 @@ def test_search_maximum_serial(self):
"""
self.init_app()
self.navigate_to_entity(ENTITY)

# Find the second lowest serial number
result = self.execute_api_from_ui('cert_find', [], {})
certs = result['result']['result']
serials = [int(cert["serial_number_hex"], 0) for cert in certs]
serials.sort()
second_serial = str(serials[1])

self.select('select[name=search_option]', 'max_serial_number')
search_pkey(self, '2')
search_pkey(self, second_serial)
rows = self.get_rows()
assert len(rows) == 2

Expand Down

0 comments on commit 3011ec1

Please sign in to comment.