ipa/SOURCES/0006-external-ca-profile-fix_rhbz#1731813.patch

1340 lines
47 KiB
Diff
Raw Normal View History

From d0d29ccc324bb9f95bffbe3162ee5c3c61c6086a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 11 Jul 2019 15:17:04 +1000
Subject: [PATCH] move MSCSTemplate classes to ipalib
As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes. These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933). So move these classes to
ipalib.
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
install/tools/ipa-ca-install.in | 6 +-
ipalib/x509.py | 171 +++++++++++++++++
ipaserver/install/ca.py | 11 +-
ipaserver/install/cainstance.py | 180 +-----------------
ipaserver/install/ipa_cacert_manage.py | 14 +-
ipatests/test_integration/test_external_ca.py | 11 +-
ipatests/test_ipalib/test_x509.py | 115 +++++++++++
.../test_install/test_cainstance.py | 123 ------------
8 files changed, 307 insertions(+), 324 deletions(-)
delete mode 100644 ipatests/test_ipaserver/test_install/test_cainstance.py
diff --git a/install/tools/ipa-ca-install.in b/install/tools/ipa-ca-install.in
index 0700c0c38b..ce6d5fcb52 100644
--- a/install/tools/ipa-ca-install.in
+++ b/install/tools/ipa-ca-install.in
@@ -37,7 +37,7 @@ from ipaserver.install import cainstance, service
from ipaserver.install import custodiainstance
from ipaserver.masters import find_providing_server
from ipapython import version
-from ipalib import api
+from ipalib import api, x509
from ipalib.constants import DOMAIN_LEVEL_1
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup
@@ -68,13 +68,13 @@ def parse_options():
default=False, help="unattended installation never prompts the user")
parser.add_option("--external-ca", dest="external_ca", action="store_true",
default=False, help="Generate a CSR to be signed by an external CA")
- ext_cas = tuple(x.value for x in cainstance.ExternalCAType)
+ ext_cas = tuple(x.value for x in x509.ExternalCAType)
parser.add_option("--external-ca-type", dest="external_ca_type",
type="choice", choices=ext_cas,
metavar="{{{0}}}".format(",".join(ext_cas)),
help="Type of the external CA. Default: generic")
parser.add_option("--external-ca-profile", dest="external_ca_profile",
- type='constructor', constructor=cainstance.ExternalCAProfile,
+ type='constructor', constructor=x509.ExternalCAProfile,
default=None, metavar="PROFILE-SPEC",
help="Specify the certificate profile/template to use "
"at the external CA")
diff --git a/ipalib/x509.py b/ipalib/x509.py
index ab3c5f553d..1f612a3797 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -34,6 +34,7 @@
import os
import binascii
import datetime
+import enum
import ipaddress
import ssl
import base64
@@ -47,6 +48,7 @@
Encoding, PublicFormat, PrivateFormat, load_pem_private_key
)
import pyasn1
+import pyasn1.error
from pyasn1.type import univ, char, namedtype, tag
from pyasn1.codec.der import decoder, encoder
from pyasn1_modules import rfc2315, rfc2459
@@ -745,3 +747,172 @@ def format_datetime(t):
if t.tzinfo is None:
t = t.replace(tzinfo=UTC())
return unicode(t.strftime("%a %b %d %H:%M:%S %Y %Z"))
+
+
+class ExternalCAType(enum.Enum):
+ GENERIC = 'generic'
+ MS_CS = 'ms-cs'
+
+
+class ExternalCAProfile:
+ """
+ An external CA profile configuration. Currently the only
+ subclasses are for Microsoft CAs, for providing data in the
+ "Certificate Template" extension.
+
+ Constructing this class will actually return an instance of a
+ subclass.
+
+ Subclasses MUST set ``valid_for``.
+
+ """
+ def __init__(self, s=None):
+ self.unparsed_input = s
+
+ # Which external CA types is the data valid for?
+ # A set of VALUES of the ExternalCAType enum.
+ valid_for = set()
+
+ def __new__(cls, s=None):
+ """Construct the ExternalCAProfile value.
+
+ Return an instance of a subclass determined by
+ the format of the argument.
+
+ """
+ # we are directly constructing a subclass; instantiate
+ # it and be done
+ if cls is not ExternalCAProfile:
+ return super(ExternalCAProfile, cls).__new__(cls)
+
+ # construction via the base class; therefore the string
+ # argument is required, and is used to determine which
+ # subclass to construct
+ if s is None:
+ raise ValueError('string argument is required')
+
+ parts = s.split(':')
+
+ try:
+ # Is the first part on OID?
+ _oid = univ.ObjectIdentifier(parts[0])
+
+ # It is; construct a V2 template
+ # pylint: disable=too-many-function-args
+ return MSCSTemplateV2.__new__(MSCSTemplateV2, s)
+
+ except pyasn1.error.PyAsn1Error:
+ # It is not an OID; treat as a template name
+ # pylint: disable=too-many-function-args
+ return MSCSTemplateV1.__new__(MSCSTemplateV1, s)
+
+ def __getstate__(self):
+ return self.unparsed_input
+
+ def __setstate__(self, state):
+ # explicitly call __init__ method to initialise object
+ self.__init__(state)
+
+
+class MSCSTemplate(ExternalCAProfile):
+ """
+ An Microsoft AD-CS Template specifier.
+
+ Subclasses MUST set ext_oid.
+
+ Subclass constructors MUST set asn1obj.
+
+ """
+ valid_for = set([ExternalCAType.MS_CS.value])
+
+ ext_oid = None # extension OID, as a Python str
+ asn1obj = None # unencoded extension data
+
+ def get_ext_data(self):
+ """Return DER-encoded extension data."""
+ return encoder.encode(self.asn1obj)
+
+
+class MSCSTemplateV1(MSCSTemplate):
+ """
+ A v1 template specifier, per
+ https://msdn.microsoft.com/en-us/library/cc250011.aspx.
+
+ ::
+
+ CertificateTemplateName ::= SEQUENCE {
+ Name UTF8String
+ }
+
+ But note that a bare BMPString is used in practice.
+
+ """
+ ext_oid = "1.3.6.1.4.1.311.20.2"
+
+ def __init__(self, s):
+ super(MSCSTemplateV1, self).__init__(s)
+ parts = s.split(':')
+ if len(parts) > 1:
+ raise ValueError(
+ "Cannot specify certificate template version when using name.")
+ self.asn1obj = char.BMPString(str(parts[0]))
+
+
+class MSCSTemplateV2(MSCSTemplate):
+ """
+ A v2 template specifier, per
+ https://msdn.microsoft.com/en-us/library/windows/desktop/aa378274(v=vs.85).aspx
+
+ ::
+
+ CertificateTemplate ::= SEQUENCE {
+ templateID EncodedObjectID,
+ templateMajorVersion TemplateVersion,
+ templateMinorVersion TemplateVersion OPTIONAL
+ }
+
+ TemplateVersion ::= INTEGER (0..4294967295)
+
+ """
+ ext_oid = "1.3.6.1.4.1.311.21.7"
+
+ @staticmethod
+ def check_version_in_range(desc, n):
+ if n < 0 or n >= 2**32:
+ raise ValueError(
+ "Template {} version must be in range 0..4294967295"
+ .format(desc))
+
+ def __init__(self, s):
+ super(MSCSTemplateV2, self).__init__(s)
+
+ parts = s.split(':')
+
+ obj = CertificateTemplateV2()
+ if len(parts) < 2 or len(parts) > 3:
+ raise ValueError(
+ "Incorrect template specification; required format is: "
+ "<oid>:<majorVersion>[:<minorVersion>]")
+ try:
+ obj['templateID'] = univ.ObjectIdentifier(parts[0])
+
+ major = int(parts[1])
+ self.check_version_in_range("major", major)
+ obj['templateMajorVersion'] = major
+
+ if len(parts) > 2:
+ minor = int(parts[2])
+ self.check_version_in_range("minor", minor)
+ obj['templateMinorVersion'] = int(parts[2])
+
+ except pyasn1.error.PyAsn1Error:
+ raise ValueError("Could not parse certificate template specifier.")
+ self.asn1obj = obj
+
+
+class CertificateTemplateV2(univ.Sequence):
+ componentType = namedtype.NamedTypes(
+ namedtype.NamedType('templateID', univ.ObjectIdentifier()),
+ namedtype.NamedType('templateMajorVersion', univ.Integer()),
+ namedtype.OptionalNamedType('templateMinorVersion', univ.Integer())
+ )
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 6b040b311a..8fb5e3ec91 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -28,7 +28,7 @@
from ipaplatform.paths import paths
from ipaserver.install import installutils, certs
from ipaserver.install.replication import replica_conn_check
-from ipalib import api, errors
+from ipalib import api, errors, x509
from ipapython.dn import DN
from . import conncheck, dogtag, cainstance
@@ -216,8 +216,7 @@ def install_check(standalone, replica_config, options):
paths.ROOT_IPA_CSR)
if not options.external_ca_type:
- options.external_ca_type = \
- cainstance.ExternalCAType.GENERIC.value
+ options.external_ca_type = x509.ExternalCAType.GENERIC.value
if options.external_ca_profile is not None:
# check that profile is valid for the external ca type
@@ -478,13 +477,11 @@ class CAInstallInterface(dogtag.DogtagInstallInterface,
external_ca = master_install_only(external_ca)
external_ca_type = knob(
- cainstance.ExternalCAType, None,
- description="Type of the external CA",
- )
+ x509.ExternalCAType, None, description="Type of the external CA")
external_ca_type = master_install_only(external_ca_type)
external_ca_profile = knob(
- type=cainstance.ExternalCAProfile,
+ type=x509.ExternalCAProfile,
default=None,
description=(
"Specify the certificate profile/template to use at the "
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6e1fc724db..2295581870 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -26,7 +26,6 @@
import logging
import dbus
-import enum
import ldap
import os
import pwd
@@ -39,10 +38,6 @@
import tempfile
from configparser import RawConfigParser
-from pyasn1.codec.der import encoder
-from pyasn1.type import char, univ, namedtype
-import pyasn1.error
-
from ipalib import api
from ipalib import x509
from ipalib import errors
@@ -80,11 +75,6 @@
]
-class ExternalCAType(enum.Enum):
- GENERIC = 'generic'
- MS_CS = 'ms-cs'
-
-
def check_ports():
"""Check that dogtag ports (8080, 8443) are available.
@@ -367,7 +357,7 @@ def configure_instance(self, host_name, dm_password, admin_password,
if ca_type is not None:
self.ca_type = ca_type
else:
- self.ca_type = ExternalCAType.GENERIC.value
+ self.ca_type = x509.ExternalCAType.GENERIC.value
self.external_ca_profile = external_ca_profile
self.no_db_setup = promote
@@ -537,12 +527,12 @@ def __spawn_instance(self):
pki_ca_signing_csr_path=self.csr_file,
)
- if self.ca_type == ExternalCAType.MS_CS.value:
+ if self.ca_type == x509.ExternalCAType.MS_CS.value:
# Include MS template name extension in the CSR
template = self.external_ca_profile
if template is None:
# default template name
- template = MSCSTemplateV1(u"SubCA")
+ template = x509.MSCSTemplateV1(u"SubCA")
ext_data = binascii.hexlify(template.get_ext_data())
cfg.update(
@@ -2081,170 +2071,6 @@ def update_ipa_conf():
parser.write(f)
-class ExternalCAProfile:
- """
- An external CA profile configuration. Currently the only
- subclasses are for Microsoft CAs, for providing data in the
- "Certificate Template" extension.
-
- Constructing this class will actually return an instance of a
- subclass.
-
- Subclasses MUST set ``valid_for``.
-
- """
- def __init__(self, s=None):
- self.unparsed_input = s
-
- # Which external CA types is the data valid for?
- # A set of VALUES of the ExternalCAType enum.
- valid_for = set()
-
- def __new__(cls, s=None):
- """Construct the ExternalCAProfile value.
-
- Return an instance of a subclass determined by
- the format of the argument.
-
- """
- # we are directly constructing a subclass; instantiate
- # it and be done
- if cls is not ExternalCAProfile:
- return super(ExternalCAProfile, cls).__new__(cls)
-
- # construction via the base class; therefore the string
- # argument is required, and is used to determine which
- # subclass to construct
- if s is None:
- raise ValueError('string argument is required')
-
- parts = s.split(':')
-
- try:
- # Is the first part on OID?
- _oid = univ.ObjectIdentifier(parts[0])
-
- # It is; construct a V2 template
- # pylint: disable=too-many-function-args
- return MSCSTemplateV2.__new__(MSCSTemplateV2, s)
-
- except pyasn1.error.PyAsn1Error:
- # It is not an OID; treat as a template name
- # pylint: disable=too-many-function-args
- return MSCSTemplateV1.__new__(MSCSTemplateV1, s)
-
- def __getstate__(self):
- return self.unparsed_input
-
- def __setstate__(self, state):
- # explicitly call __init__ method to initialise object
- self.__init__(state)
-
-
-class MSCSTemplate(ExternalCAProfile):
- """
- An Microsoft AD-CS Template specifier.
-
- Subclasses MUST set ext_oid.
-
- Subclass constructors MUST set asn1obj.
-
- """
- valid_for = set([ExternalCAType.MS_CS.value])
-
- ext_oid = None # extension OID, as a Python str
- asn1obj = None # unencoded extension data
-
- def get_ext_data(self):
- """Return DER-encoded extension data."""
- return encoder.encode(self.asn1obj)
-
-
-class MSCSTemplateV1(MSCSTemplate):
- """
- A v1 template specifier, per
- https://msdn.microsoft.com/en-us/library/cc250011.aspx.
-
- ::
-
- CertificateTemplateName ::= SEQUENCE {
- Name UTF8String
- }
-
- But note that a bare BMPString is used in practice.
-
- """
- ext_oid = "1.3.6.1.4.1.311.20.2"
-
- def __init__(self, s):
- super(MSCSTemplateV1, self).__init__(s)
- parts = s.split(':')
- if len(parts) > 1:
- raise ValueError(
- "Cannot specify certificate template version when using name.")
- self.asn1obj = char.BMPString(str(parts[0]))
-
-
-class MSCSTemplateV2(MSCSTemplate):
- """
- A v2 template specifier, per
- https://msdn.microsoft.com/en-us/library/windows/desktop/aa378274(v=vs.85).aspx
-
- ::
-
- CertificateTemplate ::= SEQUENCE {
- templateID EncodedObjectID,
- templateMajorVersion TemplateVersion,
- templateMinorVersion TemplateVersion OPTIONAL
- }
-
- TemplateVersion ::= INTEGER (0..4294967295)
-
- """
- ext_oid = "1.3.6.1.4.1.311.21.7"
-
- @staticmethod
- def check_version_in_range(desc, n):
- if n < 0 or n >= 2**32:
- raise ValueError(
- "Template {} version must be in range 0..4294967295"
- .format(desc))
-
- def __init__(self, s):
- super(MSCSTemplateV2, self).__init__(s)
-
- parts = s.split(':')
-
- obj = CertificateTemplateV2()
- if len(parts) < 2 or len(parts) > 3:
- raise ValueError(
- "Incorrect template specification; required format is: "
- "<oid>:<majorVersion>[:<minorVersion>]")
- try:
- obj['templateID'] = univ.ObjectIdentifier(parts[0])
-
- major = int(parts[1])
- self.check_version_in_range("major", major)
- obj['templateMajorVersion'] = major
-
- if len(parts) > 2:
- minor = int(parts[2])
- self.check_version_in_range("minor", minor)
- obj['templateMinorVersion'] = int(parts[2])
-
- except pyasn1.error.PyAsn1Error:
- raise ValueError("Could not parse certificate template specifier.")
- self.asn1obj = obj
-
-
-class CertificateTemplateV2(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.NamedType('templateID', univ.ObjectIdentifier()),
- namedtype.NamedType('templateMajorVersion', univ.Integer()),
- namedtype.OptionalNamedType('templateMinorVersion', univ.Integer())
- )
-
-
if __name__ == "__main__":
standard_logging_setup("install.log")
ds = dsinstance.DsInstance()
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 3f113c35bf..37dcc2befa 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -65,7 +65,7 @@ def add_options(cls, parser):
"--external-ca", dest='self_signed',
action='store_false',
help="Sign the renewed certificate by external CA")
- ext_cas = tuple(x.value for x in cainstance.ExternalCAType)
+ ext_cas = tuple(x.value for x in x509.ExternalCAType)
renew_group.add_option(
"--external-ca-type", dest="external_ca_type",
type="choice", choices=ext_cas,
@@ -73,7 +73,7 @@ def add_options(cls, parser):
help="Type of the external CA. Default: generic")
renew_group.add_option(
"--external-ca-profile", dest="external_ca_profile",
- type='constructor', constructor=cainstance.ExternalCAProfile,
+ type='constructor', constructor=x509.ExternalCAProfile,
default=None, metavar="PROFILE-SPEC",
help="Specify the certificate profile/template to use "
"at the external CA")
@@ -224,11 +224,11 @@ def renew_external_step_1(self, ca):
options = self.options
if not options.external_ca_type:
- options.external_ca_type = cainstance.ExternalCAType.GENERIC.value
+ options.external_ca_type = x509.ExternalCAType.GENERIC.value
- if options.external_ca_type == cainstance.ExternalCAType.MS_CS.value \
+ if options.external_ca_type == x509.ExternalCAType.MS_CS.value \
and options.external_ca_profile is None:
- options.external_ca_profile = cainstance.MSCSTemplateV1(u"SubCA")
+ options.external_ca_profile = x509.MSCSTemplateV1(u"SubCA")
if options.external_ca_profile is not None:
# check that profile is valid for the external ca type
@@ -352,11 +352,11 @@ def resubmit_request(self, ca=RENEWAL_CA_NAME, profile=None):
timeout = api.env.startup_timeout + 60
cm_profile = None
- if isinstance(profile, cainstance.MSCSTemplateV1):
+ if isinstance(profile, x509.MSCSTemplateV1):
cm_profile = profile.unparsed_input
cm_template = None
- if isinstance(profile, cainstance.MSCSTemplateV2):
+ if isinstance(profile, x509.MSCSTemplateV2):
cm_template = profile.unparsed_input
logger.debug("resubmitting certmonger request '%s'", self.request_id)
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index a42355217d..5aa2b7bba0 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -108,14 +108,14 @@ def check_ipaca_issuerDN(host, expected_dn):
assert "Issuer DN: {}".format(expected_dn) in result.stdout_text
-def check_mscs_extension(ipa_csr, oid, value):
+def check_mscs_extension(ipa_csr, template):
csr = x509.load_pem_x509_csr(ipa_csr, default_backend())
extensions = [
ext for ext in csr.extensions
- if ext.oid.dotted_string == oid
+ if ext.oid.dotted_string == template.ext_oid
]
assert extensions
- assert extensions[0].value.value == value
+ assert extensions[0].value.value == template.get_ext_data()
class TestExternalCA(IntegrationTest):
@@ -134,10 +134,7 @@ def test_external_ca(self):
# check CSR for extension
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
- # Values for MSCSTemplateV1('SubCA')
- oid = "1.3.6.1.4.1.311.20.2"
- value = b'\x1e\n\x00S\x00u\x00b\x00C\x00A'
- check_mscs_extension(ipa_csr, oid, value)
+ check_mscs_extension(ipa_csr, ipa_x509.MSCSTemplateV1(u'SubCA'))
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py
index ff7e6de2f7..284b998316 100644
--- a/ipatests/test_ipalib/test_x509.py
+++ b/ipatests/test_ipalib/test_x509.py
@@ -22,7 +22,11 @@
"""
import base64
+from binascii import hexlify
+from configparser import RawConfigParser
import datetime
+from io import StringIO
+import pickle
import pytest
@@ -268,3 +272,114 @@ def test_ipa_demo_letsencrypt(self):
b'0 \x06\x03U\x1d%\x01\x01\xff\x04\x160\x14\x06\x08+\x06\x01'
b'\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x02'
)
+
+
+class test_ExternalCAProfile:
+ def test_MSCSTemplateV1_good(self):
+ o = x509.MSCSTemplateV1("MySubCA")
+ assert hexlify(o.get_ext_data()) == b'1e0e004d007900530075006200430041'
+
+ def test_MSCSTemplateV1_bad(self):
+ with pytest.raises(ValueError):
+ x509.MSCSTemplateV1("MySubCA:1")
+
+ def test_MSCSTemplateV1_pickle_roundtrip(self):
+ o = x509.MSCSTemplateV1("MySubCA")
+ s = pickle.dumps(o)
+ assert o.get_ext_data() == pickle.loads(s).get_ext_data()
+
+ def test_MSCSTemplateV2_too_few_parts(self):
+ with pytest.raises(ValueError):
+ x509.MSCSTemplateV2("1.2.3.4")
+
+ def test_MSCSTemplateV2_too_many_parts(self):
+ with pytest.raises(ValueError):
+ x509.MSCSTemplateV2("1.2.3.4:100:200:300")
+
+ def test_MSCSTemplateV2_bad_oid(self):
+ with pytest.raises(ValueError):
+ x509.MSCSTemplateV2("not_an_oid:1")
+
+ def test_MSCSTemplateV2_non_numeric_major_version(self):
+ with pytest.raises(ValueError):
+ x509.MSCSTemplateV2("1.2.3.4:major:200")
+
+ def test_MSCSTemplateV2_non_numeric_minor_version(self):
+ with pytest.raises(ValueError):
+ x509.MSCSTemplateV2("1.2.3.4:100:minor")
+
+ def test_MSCSTemplateV2_major_version_lt_zero(self):
+ with pytest.raises(ValueError):
+ x509.MSCSTemplateV2("1.2.3.4:-1:200")
+
+ def test_MSCSTemplateV2_minor_version_lt_zero(self):
+ with pytest.raises(ValueError):
+ x509.MSCSTemplateV2("1.2.3.4:100:-1")
+
+ def test_MSCSTemplateV2_major_version_gt_max(self):
+ with pytest.raises(ValueError):
+ x509.MSCSTemplateV2("1.2.3.4:4294967296:200")
+
+ def test_MSCSTemplateV2_minor_version_gt_max(self):
+ with pytest.raises(ValueError):
+ x509.MSCSTemplateV2("1.2.3.4:100:4294967296")
+
+ def test_MSCSTemplateV2_good_major(self):
+ o = x509.MSCSTemplateV2("1.2.3.4:4294967295")
+ assert hexlify(o.get_ext_data()) == b'300c06032a0304020500ffffffff'
+
+ def test_MSCSTemplateV2_good_major_minor(self):
+ o = x509.MSCSTemplateV2("1.2.3.4:4294967295:0")
+ assert hexlify(o.get_ext_data()) \
+ == b'300f06032a0304020500ffffffff020100'
+
+ def test_MSCSTemplateV2_pickle_roundtrip(self):
+ o = x509.MSCSTemplateV2("1.2.3.4:4294967295:0")
+ s = pickle.dumps(o)
+ assert o.get_ext_data() == pickle.loads(s).get_ext_data()
+
+ def test_ExternalCAProfile_dispatch(self):
+ """
+ Test that constructing ExternalCAProfile actually returns an
+ instance of the appropriate subclass.
+ """
+ assert isinstance(
+ x509.ExternalCAProfile("MySubCA"),
+ x509.MSCSTemplateV1)
+ assert isinstance(
+ x509.ExternalCAProfile("1.2.3.4:100"),
+ x509.MSCSTemplateV2)
+
+ def test_write_pkispawn_config_file_MSCSTemplateV1(self):
+ template = x509.MSCSTemplateV1(u"SubCA")
+ expected = (
+ '[CA]\n'
+ 'pki_req_ext_oid = 1.3.6.1.4.1.311.20.2\n'
+ 'pki_req_ext_data = 1e0a00530075006200430041\n\n'
+ )
+ self._test_write_pkispawn_config_file(template, expected)
+
+ def test_write_pkispawn_config_file_MSCSTemplateV2(self):
+ template = x509.MSCSTemplateV2(u"1.2.3.4:4294967295")
+ expected = (
+ '[CA]\n'
+ 'pki_req_ext_oid = 1.3.6.1.4.1.311.21.7\n'
+ 'pki_req_ext_data = 300c06032a0304020500ffffffff\n\n'
+ )
+ self._test_write_pkispawn_config_file(template, expected)
+
+ def _test_write_pkispawn_config_file(self, template, expected):
+ """
+ Test that the values we read from an ExternalCAProfile
+ object can be used to produce a reasonable-looking pkispawn
+ configuration.
+ """
+ config = RawConfigParser()
+ config.optionxform = str
+ config.add_section("CA")
+ config.set("CA", "pki_req_ext_oid", template.ext_oid)
+ config.set("CA", "pki_req_ext_data",
+ hexlify(template.get_ext_data()).decode('ascii'))
+ out = StringIO()
+ config.write(out)
+ assert out.getvalue() == expected
diff --git a/ipatests/test_ipaserver/test_install/test_cainstance.py b/ipatests/test_ipaserver/test_install/test_cainstance.py
deleted file mode 100644
index 02d9758e4a..0000000000
--- a/ipatests/test_ipaserver/test_install/test_cainstance.py
+++ /dev/null
@@ -1,123 +0,0 @@
-#
-# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
-#
-
-from binascii import hexlify
-from io import StringIO
-import pickle
-from configparser import RawConfigParser
-import pytest
-from ipaserver.install import cainstance
-
-pytestmark = pytest.mark.tier0
-
-
-class test_ExternalCAProfile:
- def test_MSCSTemplateV1_good(self):
- o = cainstance.MSCSTemplateV1("MySubCA")
- assert hexlify(o.get_ext_data()) == b'1e0e004d007900530075006200430041'
-
- def test_MSCSTemplateV1_bad(self):
- with pytest.raises(ValueError):
- cainstance.MSCSTemplateV1("MySubCA:1")
-
- def test_MSCSTemplateV1_pickle_roundtrip(self):
- o = cainstance.MSCSTemplateV1("MySubCA")
- s = pickle.dumps(o)
- assert o.get_ext_data() == pickle.loads(s).get_ext_data()
-
- def test_MSCSTemplateV2_too_few_parts(self):
- with pytest.raises(ValueError):
- cainstance.MSCSTemplateV2("1.2.3.4")
-
- def test_MSCSTemplateV2_too_many_parts(self):
- with pytest.raises(ValueError):
- cainstance.MSCSTemplateV2("1.2.3.4:100:200:300")
-
- def test_MSCSTemplateV2_bad_oid(self):
- with pytest.raises(ValueError):
- cainstance.MSCSTemplateV2("not_an_oid:1")
-
- def test_MSCSTemplateV2_non_numeric_major_version(self):
- with pytest.raises(ValueError):
- cainstance.MSCSTemplateV2("1.2.3.4:major:200")
-
- def test_MSCSTemplateV2_non_numeric_minor_version(self):
- with pytest.raises(ValueError):
- cainstance.MSCSTemplateV2("1.2.3.4:100:minor")
-
- def test_MSCSTemplateV2_major_version_lt_zero(self):
- with pytest.raises(ValueError):
- cainstance.MSCSTemplateV2("1.2.3.4:-1:200")
-
- def test_MSCSTemplateV2_minor_version_lt_zero(self):
- with pytest.raises(ValueError):
- cainstance.MSCSTemplateV2("1.2.3.4:100:-1")
-
- def test_MSCSTemplateV2_major_version_gt_max(self):
- with pytest.raises(ValueError):
- cainstance.MSCSTemplateV2("1.2.3.4:4294967296:200")
-
- def test_MSCSTemplateV2_minor_version_gt_max(self):
- with pytest.raises(ValueError):
- cainstance.MSCSTemplateV2("1.2.3.4:100:4294967296")
-
- def test_MSCSTemplateV2_good_major(self):
- o = cainstance.MSCSTemplateV2("1.2.3.4:4294967295")
- assert hexlify(o.get_ext_data()) == b'300c06032a0304020500ffffffff'
-
- def test_MSCSTemplateV2_good_major_minor(self):
- o = cainstance.MSCSTemplateV2("1.2.3.4:4294967295:0")
- assert hexlify(o.get_ext_data()) \
- == b'300f06032a0304020500ffffffff020100'
-
- def test_MSCSTemplateV2_pickle_roundtrip(self):
- o = cainstance.MSCSTemplateV2("1.2.3.4:4294967295:0")
- s = pickle.dumps(o)
- assert o.get_ext_data() == pickle.loads(s).get_ext_data()
-
- def test_ExternalCAProfile_dispatch(self):
- """
- Test that constructing ExternalCAProfile actually returns an
- instance of the appropriate subclass.
- """
- assert isinstance(
- cainstance.ExternalCAProfile("MySubCA"),
- cainstance.MSCSTemplateV1)
- assert isinstance(
- cainstance.ExternalCAProfile("1.2.3.4:100"),
- cainstance.MSCSTemplateV2)
-
- def test_write_pkispawn_config_file_MSCSTemplateV1(self):
- template = cainstance.MSCSTemplateV1(u"SubCA")
- expected = (
- '[CA]\n'
- 'pki_req_ext_oid = 1.3.6.1.4.1.311.20.2\n'
- 'pki_req_ext_data = 1e0a00530075006200430041\n\n'
- )
- self._test_write_pkispawn_config_file(template, expected)
-
- def test_write_pkispawn_config_file_MSCSTemplateV2(self):
- template = cainstance.MSCSTemplateV2(u"1.2.3.4:4294967295")
- expected = (
- '[CA]\n'
- 'pki_req_ext_oid = 1.3.6.1.4.1.311.21.7\n'
- 'pki_req_ext_data = 300c06032a0304020500ffffffff\n\n'
- )
- self._test_write_pkispawn_config_file(template, expected)
-
- def _test_write_pkispawn_config_file(self, template, expected):
- """
- Test that the values we read from an ExternalCAProfile
- object can be used to produce a reasonable-looking pkispawn
- configuration.
- """
- config = RawConfigParser()
- config.optionxform = str
- config.add_section("CA")
- config.set("CA", "pki_req_ext_oid", template.ext_oid)
- config.set("CA", "pki_req_ext_data",
- hexlify(template.get_ext_data()).decode('ascii'))
- out = StringIO()
- config.write(out)
- assert out.getvalue() == expected
From e632b220798833bcd65c6b266610c800ed0914d7 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 12 Jul 2019 13:13:02 +1000
Subject: [PATCH] install: fix --external-ca-profile option
Commit dd47cfc75a69618f486abefb70f2649ebf8264e7 removed the ability
to set pki_req_ext_oid and pki_req_ext_data in the pkispawn config.
This results in the --external-ca-profile option never setting the
requested values in the CSR (the default V1 template type specifying
"SubCA" is always used).
Remove relevant fields from both ipaca_default.ini and
ipaca_customize.ini. This allows the IPA framework to set the
values (i.e. when --external-ca-type=ms-cs and
--external-ca-profile=... demand it). It also allows users to
override the pki_req_ext_* settings.
Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
install/share/ipaca_customize.ini | 5 -----
install/share/ipaca_default.ini | 1 -
2 files changed, 6 deletions(-)
diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini
index 130ec2c102..6d58579af8 100644
--- a/install/share/ipaca_customize.ini
+++ b/install/share/ipaca_customize.ini
@@ -93,11 +93,6 @@ pki_ca_signing_key_type=%(ipa_ca_key_type)s
pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
pki_ca_signing_token=%(pki_token_name)s
-# MS subca request ext data
-pki_req_ext_oid=1.3.6.1.4.1.311.20.2
-pki_req_ext_critical=False
-pki_req_ext_data=1E0A00530075006200430041
-
## ocspSigningCert cert-pki-ca
pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
pki_ocsp_signing_key_size=%(ipa_key_size)s
diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
index fedc1b9a74..2b9900286e 100644
--- a/install/share/ipaca_default.ini
+++ b/install/share/ipaca_default.ini
@@ -115,7 +115,6 @@ pki_ca_starting_crl_number=0
pki_external=False
pki_external_step_two=False
-pki_req_ext_add=False
pki_external_pkcs12_path=%(pki_pkcs12_path)s
pki_external_pkcs12_password=%(pki_pkcs12_password)s
From 71af731b3069fa1b2c0b51a3b917b5bc4da54350 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 12 Jul 2019 13:24:51 +1000
Subject: [PATCH] Fix use of incorrect variable
Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/dogtaginstance.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index cc75d89746..5dca721d6c 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -853,7 +853,7 @@ def _verify_immutable(self, config, immutable_settings, filename):
if errs:
raise ValueError(
'{} overrides immutable options:\n{}'.format(
- filename, '\n'.join(errors)
+ filename, '\n'.join(errs)
)
)
From 83ed05725110de19a7098678274ecaaaf6a2c9c9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <frase@frase.id.au>
Date: Wed, 20 Feb 2019 18:34:33 +1100
Subject: [PATCH] Add more tests for --external-ca-profile handling
Add tests for remaining untested scenarios of --external-ca-profile
handling in ipa-server-install.
ipa-ca-install and ipa-cacert-manage remain untested at present.
Fixes: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_external_ca.py | 97 ++++++++++++++++++-
1 file changed, 95 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index 5aa2b7bba0..dc9a09b43b 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -74,10 +74,10 @@ def match_in_journal(host, string, since='today', services=('certmonger',)):
return match
-def install_server_external_ca_step1(host, extra_args=()):
+def install_server_external_ca_step1(host, extra_args=(), raiseonerr=True):
"""Step 1 to install the ipa server with external ca"""
return tasks.install_master(
- host, external_ca=True, extra_args=extra_args
+ host, external_ca=True, extra_args=extra_args, raiseonerr=raiseonerr,
)
@@ -478,3 +478,96 @@ def test_master_install_ca2(self):
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
'-n', cert_nick])
assert "CN=RootCA2" in result.stdout_text
+
+
+def _step1_profile(master, s):
+ return install_server_external_ca_step1(
+ master,
+ extra_args=['--external-ca-type=ms-cs', f'--external-ca-profile={s}'],
+ raiseonerr=False,
+ )
+
+
+def _test_invalid_profile(master, profile):
+ result = _step1_profile(master, profile)
+ assert result.returncode != 0
+ assert '--external-ca-profile' in result.stderr_text
+
+
+def _test_valid_profile(master, profile_cls, profile):
+ result = _step1_profile(master, profile)
+ assert result.returncode == 0
+ ipa_csr = master.get_file_contents(paths.ROOT_IPA_CSR)
+ check_mscs_extension(ipa_csr, profile_cls(profile))
+
+
+class TestExternalCAProfileV1(IntegrationTest):
+ """
+ Test that --external-ca-profile=Foo gets propagated to the CSR.
+
+ The default template extension when --external-ca-type=ms-cs,
+ a V1 extension with value "SubCA", already gets tested by the
+ ``TestExternalCA`` class.
+
+ We only need to do Step 1 of installation, then check the CSR.
+
+ """
+ def test_invalid_v1_template(self):
+ _test_invalid_profile(self.master, 'NotAnOid:1')
+
+ def test_valid_v1_template(self):
+ _test_valid_profile(
+ self.master, ipa_x509.MSCSTemplateV1, 'TemplateOfAwesome')
+
+
+class TestExternalCAProfileV2MajorOnly(IntegrationTest):
+ """
+ Test that V2 template specifiers without minor version get
+ propagated to CSR. This class also tests all error modes in
+ specifying a V2 template, those being:
+
+ - no major version specified
+ - too many parts specified (i.e. major, minor, and then some more)
+ - major version is not an int
+ - major version is negative
+ - minor version is not an int
+ - minor version is negative
+
+ We only need to do Step 1 of installation, then check the CSR.
+
+ """
+ def test_v2_template_too_few_parts(self):
+ _test_invalid_profile(self.master, '1.2.3.4')
+
+ def test_v2_template_too_many_parts(self):
+ _test_invalid_profile(self.master, '1.2.3.4:100:200:300')
+
+ def test_v2_template_major_version_not_int(self):
+ _test_invalid_profile(self.master, '1.2.3.4:wat:200')
+
+ def test_v2_template_major_version_negative(self):
+ _test_invalid_profile(self.master, '1.2.3.4:-1:200')
+
+ def test_v2_template_minor_version_not_int(self):
+ _test_invalid_profile(self.master, '1.2.3.4:100:wat')
+
+ def test_v2_template_minor_version_negative(self):
+ _test_invalid_profile(self.master, '1.2.3.4:100:-2')
+
+ def test_v2_template_valid_major_only(self):
+ _test_valid_profile(
+ self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100')
+
+
+class TestExternalCAProfileV2MajorMinor(IntegrationTest):
+ """
+ Test that V2 template specifiers _with_ minor version get
+ propagated to CSR. All error modes of V2 template specifiers
+ were tested in ``TestExternalCAProfileV2Major``.
+
+ We only need to do Step 1 of installation, then check the CSR.
+
+ """
+ def test_v2_template_valid_major_minor(self):
+ _test_valid_profile(
+ self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100:200')
From a627df87c31e4d8399bd9fab43c0c4772ddd8955 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 11 Jul 2019 20:22:33 +1000
Subject: [PATCH] Collapse --external-ca-profile tests into single class
To avoid having to spawn new CI hosts for each kind of
--external-ca-profile argument we are testing, collapse the three
separate test classes into one. Uninstall the half-installed IPA
after each section of tests.
This change is in response to review comment
https://github.com/freeipa/freeipa/pull/2852#pullrequestreview-220442170.
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_external_ca.py | 34 ++++++++++++++-----
1 file changed, 26 insertions(+), 8 deletions(-)
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index dc9a09b43b..714aebd4a8 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -501,8 +501,18 @@ def _test_valid_profile(master, profile_cls, profile):
check_mscs_extension(ipa_csr, profile_cls(profile))
-class TestExternalCAProfileV1(IntegrationTest):
+class TestExternalCAProfileScenarios(IntegrationTest):
"""
+ Test the various --external-ca-profile scenarios.
+ This test is broken into sections, with each section first
+ testing invalid arguments, then a valid argument, and finally
+ uninstalling the half-installed IPA.
+
+ """
+
+ '''
+ Tranche 1: version 1 templates.
+
Test that --external-ca-profile=Foo gets propagated to the CSR.
The default template extension when --external-ca-type=ms-cs,
@@ -511,7 +521,7 @@ class TestExternalCAProfileV1(IntegrationTest):
We only need to do Step 1 of installation, then check the CSR.
- """
+ '''
def test_invalid_v1_template(self):
_test_invalid_profile(self.master, 'NotAnOid:1')
@@ -519,9 +529,12 @@ def test_valid_v1_template(self):
_test_valid_profile(
self.master, ipa_x509.MSCSTemplateV1, 'TemplateOfAwesome')
+ def test_uninstall_1(self):
+ tasks.uninstall_master(self.master)
+
+ '''
+ Tranche 2: V2 templates without minor version.
-class TestExternalCAProfileV2MajorOnly(IntegrationTest):
- """
Test that V2 template specifiers without minor version get
propagated to CSR. This class also tests all error modes in
specifying a V2 template, those being:
@@ -535,7 +548,7 @@ class TestExternalCAProfileV2MajorOnly(IntegrationTest):
We only need to do Step 1 of installation, then check the CSR.
- """
+ '''
def test_v2_template_too_few_parts(self):
_test_invalid_profile(self.master, '1.2.3.4')
@@ -558,16 +571,21 @@ def test_v2_template_valid_major_only(self):
_test_valid_profile(
self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100')
+ def test_uninstall_2(self):
+ tasks.uninstall_master(self.master)
+
+ '''
+ Tranche 3: V2 templates with minor version.
-class TestExternalCAProfileV2MajorMinor(IntegrationTest):
- """
Test that V2 template specifiers _with_ minor version get
propagated to CSR. All error modes of V2 template specifiers
were tested in ``TestExternalCAProfileV2Major``.
We only need to do Step 1 of installation, then check the CSR.
- """
+ '''
def test_v2_template_valid_major_minor(self):
_test_valid_profile(
self.master, ipa_x509.MSCSTemplateV2, '1.2.3.4:100:200')
+
+ # this is the end; no need to uninstall.
From 740964c3c47fd2cd216c233d8d9df1840eaa01ee Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 11 Jul 2019 20:27:02 +1000
Subject: [PATCH] ci: add --external-ca-profile tests to nightly
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/prci_definitions/nightly_f28.yaml | 12 ++++++++++++
ipatests/prci_definitions/nightly_f29.yaml | 12 ++++++++++++
ipatests/prci_definitions/nightly_master.yaml | 12 ++++++++++++
ipatests/prci_definitions/nightly_master_pki.yaml | 12 ++++++++++++
ipatests/prci_definitions/nightly_rawhide.yaml | 12 ++++++++++++
5 files changed, 60 insertions(+)
diff --git a/ipatests/prci_definitions/nightly_f28.yaml b/ipatests/prci_definitions/nightly_f28.yaml
index fe86730444..d1605e6b5c 100644
--- a/ipatests/prci_definitions/nightly_f28.yaml
+++ b/ipatests/prci_definitions/nightly_f28.yaml
@@ -75,6 +75,18 @@ jobs:
timeout: 3600
topology: *master_1repl
+ fedora-28/external_ca_templates:
+ requires: [fedora-28/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-28/build_url}'
+ test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
+ template: *ci-master-f28
+ timeout: 3600
+ topology: *master_1repl
+
fedora-28/test_topologies:
requires: [fedora-28/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_f29.yaml b/ipatests/prci_definitions/nightly_f29.yaml
index 57c1b624fe..ed88eb15c8 100644
--- a/ipatests/prci_definitions/nightly_f29.yaml
+++ b/ipatests/prci_definitions/nightly_f29.yaml
@@ -75,6 +75,18 @@ jobs:
timeout: 3600
topology: *master_1repl
+ fedora-29/external_ca_templates:
+ requires: [fedora-29/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-29/build_url}'
+ test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
+ template: *ci-master-f29
+ timeout: 3600
+ topology: *master_1repl
+
fedora-29/test_topologies:
requires: [fedora-29/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_master.yaml b/ipatests/prci_definitions/nightly_master.yaml
index dc63f37426..0a66a13490 100644
--- a/ipatests/prci_definitions/nightly_master.yaml
+++ b/ipatests/prci_definitions/nightly_master.yaml
@@ -75,6 +75,18 @@ jobs:
timeout: 3600
topology: *master_1repl
+ fedora-30/external_ca_templates:
+ requires: [fedora-30/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-30/build_url}'
+ test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
+ template: *ci-master-f30
+ timeout: 3600
+ topology: *master_1repl
+
fedora-30/test_topologies:
requires: [fedora-30/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_master_pki.yaml b/ipatests/prci_definitions/nightly_master_pki.yaml
index 1bb0af0244..ed2e38d3ed 100644
--- a/ipatests/prci_definitions/nightly_master_pki.yaml
+++ b/ipatests/prci_definitions/nightly_master_pki.yaml
@@ -75,6 +75,18 @@ jobs:
timeout: 3600
topology: *master_1repl
+ fedora-29/external_ca_templates:
+ requires: [fedora-29/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-29/build_url}'
+ test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
+ template: *pki-master-f29
+ timeout: 3600
+ topology: *master_1repl
+
fedora-29/test_vault:
requires: [fedora-29/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_rawhide.yaml b/ipatests/prci_definitions/nightly_rawhide.yaml
index 301878467c..14433fcc0a 100644
--- a/ipatests/prci_definitions/nightly_rawhide.yaml
+++ b/ipatests/prci_definitions/nightly_rawhide.yaml
@@ -75,6 +75,18 @@ jobs:
timeout: 3600
topology: *master_1repl
+ fedora-rawhide/external_ca_templates:
+ requires: [fedora-rawhide/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-rawhide/build_url}'
+ test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
+ template: *ci-master-frawhide
+ timeout: 3600
+ topology: *master_1repl
+
fedora-rawhide/test_topologies:
requires: [fedora-rawhide/build]
priority: 50
From 011c5283cec28ea4361eff5d2ee98da9cd3db41a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 11 Jul 2019 20:27:02 +1000
Subject: [PATCH] ci: add --external-ca-profile tests to gating
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/prci_definitions/gating.yaml | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
index 4d0107d956..81fa4bba10 100644
--- a/ipatests/prci_definitions/gating.yaml
+++ b/ipatests/prci_definitions/gating.yaml
@@ -87,6 +87,18 @@ jobs:
timeout: 3600
topology: *master_1repl
+ fedora-30/external_ca_templates:
+ requires: [fedora-30/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-30/build_url}'
+ test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
+ template: *ci-master-f30
+ timeout: 3600
+ topology: *master_1repl
+
fedora-30/test_topologies:
requires: [fedora-30/build]
priority: 50