Skip to content

Commit

Permalink
Added_bz_1976010_automation_upstream
Browse files Browse the repository at this point in the history
Signed-off-by: Pritam Singh <prisingh@redhat.com>
  • Loading branch information
Pritam Singh committed Aug 9, 2021
1 parent d5eecdd commit 2e4f3fe
Show file tree
Hide file tree
Showing 3 changed files with 264 additions and 2 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/qe-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ jobs:

- name: Set up inventory
run: |
sed -e "s/TOPOLOGY/topology-02/g" tests/inventory > inventory
sed -e "s/TOPOLOGY/topology-00/g" tests/inventory > inventory
ansible -i inventory -m setup master
- name: Set up topology-02
Expand All @@ -118,7 +118,7 @@ jobs:
--ansible-module-path tests/dogtag/pytest-ansible/common-modules \
--junit-xml pki_cert_junit.xml \
-qsvvv \
tests/dogtag/pytest-ansible/pytest/sanity/test_role_users.py
tests/dogtag/pytest-ansible/pytest/ca/bugzilla/test_bz_1976010_restrict_ee_profile_list_without_immediate_issuance.py
- name: Gather artifacts
if: always()
Expand Down
1 change: 1 addition & 0 deletions tests/dogtag/pytest-ansible/.gitlab-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -237,6 +237,7 @@ ca-topo-00-bugzilla-cp:
- ansible-playbook -i $HOSTFILE $PYTEST_DIR/installation/main.yml --extra-vars "topology=topology-00" -vv | sed 's/\\n/\n/g'
- py.test --html=$CI_PROJECT_DIR/${CI_JOB_NAME}_html_report.html --self-contained-html --ansible-inventory $HOSTFILE --ansible-host-pattern master $PYTEST_DIR/pytest/ca/bugzilla/test_bug_1656772_man_pkispawn_having_reference_to_setup-ds.py -q -s --junitxml ${CI_JOB_NAME}_junit.xml | sed 's/\\n/\n/g'
- py.test --html=$CI_PROJECT_DIR/${CI_JOB_NAME}_html_report.html --self-contained-html --ansible-inventory $HOSTFILE --ansible-host-pattern master --ansible-playbook-inventory $HOSTFILE --ansible-playbook-directory $PYTEST_DIR/pytest/ca/bugzilla/ $PYTEST_DIR/pytest/ca/bugzilla/test_bug_1426572_1930586_cert_fix_tool.py -qsvv --junitxml ${CI_JOB_NAME}_junit.xml | sed 's/\\n/\n/g'
- py.test --html=$CI_PROJECT_DIR/${CI_JOB_NAME}_html_report.html --self-contained-html --ansible-inventory $HOSTFILE --ansible-host-pattern master $PYTEST_DIR/pytest/ca/bugzilla/test_bz_1976010_restrict_ee_profile_list_without_immediate_issuance.py -q -s --junitxml ${CI_JOB_NAME}_junit.xml | sed 's/\\n/\n/g'

topo-02-ca-bugzillas-gs:
<<: *job_definition
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,261 @@
#!/usr/bin/python
# -*- coding: UTF-8 -*-

"""
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Description: Automation of Bz_1976010: Restrict EE profile list and
# enrollment submission per LDAP group without immediate issuance
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Author: Pritam Singh <prisingh@redhat.com>
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Copyright Red Hat, Inc.
# SPDX-License-Identifier: GPL-2.0-or-later
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"""

import logging
import os
import sys
import pytest
import time

log = logging.getLogger()
logging.basicConfig(stream=sys.stdout, level=logging.INFO)

try:
from pki.testlib.common import constants
except Exception as e:
if os.path.isfile('/tmp/test_dir/constants.py'):
sys.path.append('/tmp/test_dir')
import constants

topology = constants.CA_INSTANCE_NAME.split("-")[1].strip()
instance_name = constants.CA_INSTANCE_NAME
ca_config_path = '/var/lib/pki/{}/ca/conf/CS.cfg'.format(constants.CA_INSTANCE_NAME)
ca_profile_path = '/var/lib/pki/{}/ca/profiles/ca/caDirUserCert.cfg'.format(constants.CA_INSTANCE_NAME)


@pytest.mark.skipif('topology != "00"')
@pytest.fixture(autouse=True)
def topo00_setup_for_ldap_and_ca(ansible_module):
"""
:id: 90f34de5-a5b8-469c-ab28-73bc0e08638e
:Title: Topology-00 setup for ldap, ca
:Description: setup ldap, ca
:Requirement: RHCS-REQ Certificate Authority Administration
:CaseComponent: \-
:Setup: Use the subsystems setup in ansible to run subsystem commands
:Steps:
1. Install Ldap server
2. Install CA
3. Remove CA
4. Remove LDAP
:ExpectedResults:
1. It should install and remove ldap, ca
:Automated: yes
"""
# Setup DS instance
ansible_module.command('cp -R /tmp/test_dir/ /tmp/test_conf')
log.info('Installing DS')
out = ansible_module.shell('dscreate from-file /tmp/test_conf/ldap.cfg')
for result in out.values():
assert result['rc'] == 0
log.info("Setup DS instance.")

# Setup CA instance
log.info('Installing CA')
install_ca = ansible_module.shell('pkispawn -s CA -f /tmp/test_conf/ca.cfg')
for result in install_ca.values():
assert result['rc'] == 0
log.info("CA Installed successfully")


# Create NSSDB and import certificates

ansible_module.command('pki -d {} -c {} client-init '
'--force'.format(constants.NSSDB, constants.CLIENT_DATABASE_PASSWORD))
log.info("Initialize client dir: {}".format(constants.NSSDB))
command = 'pki -d {} -c {} -p {} client-cert-import --ca-server'.format(constants.NSSDB,
constants.CLIENT_DATABASE_PASSWORD,
constants.CA_HTTPS_PORT)
ansible_module.expect(command=command,responses={"Trust this certificate (y/N)?": "y"})
log.info("Imported RootCA cert.")

ansible_module.command('pki -d {} -c {} client-cert-import --pkcs12 {} '
'--pkcs12-password {}'.format(constants.NSSDB, constants.CLIENT_DATABASE_PASSWORD,
constants.CA_CLIENT_DIR + "/ca_admin_cert.p12",
constants.CLIENT_PKCS12_PASSWORD))
log.info("Imported CA Admin Cert.")


yield

# Remove CA instance
log.info('Removing CA')
remove_ca = ansible_module.shell('pkidestroy -s CA -i {} --remove-logs'.format(constants.CA_INSTANCE_NAME))
for result in remove_ca.values():
assert result['rc'] == 0
log.info("CA removed successfully.")
time.sleep(5)

# Remove Ldap server
log.info('Removing DS')
remove_ldap = ansible_module.shell('dsctl topology-00-testingmaster remove --do-it')
for result in remove_ldap.values():
assert result['rc'] == 0
log.info("LDAP removed successfully.")
ansible_module.command('rm -rf {}'.format(constants.NSSDB))


@pytest.mark.skipif('topology != "00"')
def test_bz_1976010_restrict_ee_profile_list_without_immediate_issuance(ansible_module):
"""
:id: db9da98e-a707-4603-97d5-146b26e51a1e
:Title: Test bz 1976010: Restrict EE profile list without immediate issuance
:Description: Test bz 1976010: Restrict EE profile list without immediate issuance
:Requirement: RHCS-REQ Certificate Authority Administration
:CaseComponent: \-
:Setup: Use the subsystems setup in ansible to run subsystem commands
:Steps:
1. Create group 'requestors'
2. Create user 'reqUser1'
3. Add 'reqUser1' user to 'requestors' group
4. Add LDAP authentication configuration in CS.cfg
5. Add 'auth.explicitApprovalRequired=true' and 'authz.acl=group=requestors' lines for LDAP authentication for the LDAP group requestors in caDirUserCert.cfg profile
6. Restart the CA subsystem
7. Create the certificate request with user 'reqUser1' which is a group member of the 'requestors' group
8. Create a certificate request with user 'caadmin' which is not a member of 'requestors' group
:ExpectedResults:
1. No automatic certificate issuance
2. The certificate request status should be 'pending'
:Automated: yes
:customerscenario: yes
"""
# Create group 'requestors'
group_name = "requestors"
cmd_out = ansible_module.pki(cli="ca-group-add",
nssdb=constants.NSSDB,
dbpassword=constants.CLIENT_DATABASE_PASSWORD,
protocol='https',
port=constants.CA_HTTPS_PORT,
hostname=constants.MASTER_HOSTNAME,
certnick='"{}"'.format(constants.CA_ADMIN_NICK),
extra_args='{}'.format(group_name))
for result in cmd_out.values():
if result['rc'] == 0:
assert 'Added group "{}"'.format(group_name) in result['stdout']
assert 'Group ID: {}'.format(group_name) in result['stdout']
log.info('Successfully ran : {}'.format(result['cmd']))
else:
log.error(result['stdout'])
log.error(result['stderr'])
pytest.fail("Failed to run : {}".format(result['cmd']))

# Create user 'reqUser1'
user_name = "reqUser1"
cmd_out = ansible_module.pki(cli="ca-user-add",
nssdb=constants.NSSDB,
dbpassword=constants.CLIENT_DATABASE_PASSWORD,
protocol='https',
port=constants.CA_HTTPS_PORT,
hostname=constants.MASTER_HOSTNAME,
certnick='"{}"'.format(constants.CA_ADMIN_NICK),
extra_args='{} --fullName "{}" --password {}'.format(
user_name, user_name, constants.CA_PASSWORD))
for result in cmd_out.values():
if result['rc'] == 0:
assert 'Added user "{}"'.format(user_name) in result['stdout']
assert 'User ID: {}'.format(user_name) in result['stdout']
assert 'Full name: {}'.format(user_name) in result['stdout']
log.info('Successfully ran : {}'.format(result['cmd']))
else:
log.error(result['stdout'])
log.error(result['stderr'])
pytest.fail('Failed to run: {}'.format(result['cmd']))

# Add 'reqUser1' user to 'requestors' group
cmd_out = ansible_module.pki(cli="ca-group-member-add",
nssdb=constants.NSSDB,
dbpassword=constants.CLIENT_DATABASE_PASSWORD,
protocol='https',
port=constants.CA_HTTPS_PORT,
hostname=constants.MASTER_HOSTNAME,
certnick='"{}"'.format(constants.CA_ADMIN_NICK),
extra_args='"{}" {}'.format(group_name, user_name))
for result in cmd_out.values():
if result['rc'] == 0:
assert 'Added group member "{}"'.format(user_name) in result['stdout']
assert 'User: {}'.format(user_name) in result['stdout']
log.info("Successfully ran : {}".format(result['cmd']))
else:
log.error(result['stdout'])
log.error(result['stderr'])
pytest.fail("Failed to ran : {}".format(result['cmd']))

# Add LDAP authentication configuration in CS.cfg

ldap_conf = ['auths.instance.UserDirEnrollment.dnpattern=uid=$attr.uid,ou=people,o={}-CA'.format(constants.CA_INSTANCE_NAME),
'auths.instance.UserDirEnrollment.ldap.basedn=ou=people,o={}-CA'.format(constants.CA_INSTANCE_NAME),
'auths.instance.UserDirEnrollment.ldap.ldapconn.host={}'.format(constants.MASTER_HOSTNAME),
'auths.instance.UserDirEnrollment.ldap.ldapconn.port={}'.format(constants.LDAP_PORT),
'auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false',
'auths.instance.UserDirEnrollment.ldap.ldapconn.version=3',
'auths.instance.UserDirEnrollment.ldap.maxConns=',
'auths.instance.UserDirEnrollment.ldap.minConns=',
'auths.instance.UserDirEnrollment.ldapByteAttributes=',
'auths.instance.UserDirEnrollment.ldapStringAttributes=uid,cn,mail',
'auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth']

param = ['auth.explicitApprovalRequired=true',
'authz.acl=group=requestors']

for i in ldap_conf:
ansible_module.lineinfile(path=ca_config_path, insertafter='^auths._002=', line=i)
for k in param:
ansible_module.lineinfile(path=ca_profile_path, insertafter='^auth.instance_id', line=k)
log.info('Successfully added LDAP authentication configuration')

# Restart the CA subsystem
ansible_module.command('pki-server restart {}'.format(constants.CA_INSTANCE_NAME))
time.sleep(5)

# Create the certificate request with user 'reqUser1'
cmd = 'pki -d {} -c {} -U http://{}:{} client-cert-request uid={} --profile=caDirUserCert --algorithm rsa ' \
'--length 2048 --type pkcs10 --username {} --password'.format(constants.NSSDB,
constants.CLIENT_DATABASE_PASSWORD,
constants.MASTER_HOSTNAME,
constants.CA_HTTP_PORT,
user_name, user_name)
cmd_out = ansible_module.expect(command=cmd,
responses={"Password:": "{}".format(constants.CA_PASSWORD)})
for result in cmd_out.values():
if result['rc'] == 0:
assert 'Operation Result: success' in result['stdout']
assert 'Type: enrollment' in result['stdout']
assert 'Request Status: pending' in result['stdout']
log.info('Successfully submitted the certificate request with no automated issuance')
else:
log.error(result['stderr'])
log.error(result['stdout'])
pytest.fail('Failed to run: {}'.format(result['cmd']))

# Create the certificate request with user 'caadmin'
cmd = 'pki -d {} -c {} -U http://{}:{} client-cert-request uid={} --profile=caDirUserCert --algorithm rsa ' \
'--length 2048 --type pkcs10 --username {} --password'.format(constants.NSSDB,
constants.CLIENT_DATABASE_PASSWORD,
constants.MASTER_HOSTNAME,
constants.CA_HTTP_PORT,
'caadmin', 'caadmin')
cmd_out = ansible_module.expect(command=cmd,
responses={"Password:": "{}".format(constants.CA_PASSWORD)})
for result in cmd_out.values():
if result['rc'] > 0:
assert 'Authorization failed: Authorization failed on resource: group=requestors, operation: {1}' in result['stdout']
log.info('Failed to submit the request for non group member user')
else:
assert 'Operation Result: success' in result['stdout']
assert 'Request Status: pending' in result['stdout']
pytest.fail('Failed to run: {}'.format(result['cmd']))

0 comments on commit 2e4f3fe

Please sign in to comment.