From d2689280492bfd3045cb14ece02be2e4361570c7 Mon Sep 17 00:00:00 2001
From: Barbora Simonova <bsmejkal@redhat.com>
Date: Aug 05 2020 10:12:14 +0000
Subject: Issue 50952 - SSCA lacks basicConstraint:CA


Description:
Created a test that checks if the certificate generated by instance
has 'category: authority' tag in trust.

Relates: https://pagure.io/389-ds-base/issue/50952

Reviewed by: spichugi (Thanks!)

---

diff --git a/dirsrvtests/tests/suites/tls/tls_cert_namespace_test.py b/dirsrvtests/tests/suites/tls/tls_cert_namespace_test.py
index 04135f7..9a6103e 100644
--- a/dirsrvtests/tests/suites/tls/tls_cert_namespace_test.py
+++ b/dirsrvtests/tests/suites/tls/tls_cert_namespace_test.py
@@ -76,6 +76,55 @@ def test_pem_cert_in_private_namespace(topology_st):
         assert not os.path.exists(cert_path + item)
 
 
+@pytest.mark.ds50952
+@pytest.mark.bz1809279
+@pytest.mark.xfail(ds_is_older("1.4.3"), reason="Might fail because of bz1809279")
+@pytest.mark.skipif(ds_is_older("1.4.0"), reason="Not implemented")
+def test_cert_category_authority(topology_st):
+    """Test that certificate generated by instance has category: authority
+
+    :id: b7e816e9-2786-4d76-9c5b-bb111b0870f2
+    :setup: Standalone instance
+    :steps:
+         1. Create DS instance
+         2. Enable TLS
+         3. Check if Self-Signed-CA.pem is present
+         4. Trust the certificate
+         5. Search if the certificate has category: authority
+    :expectedresults:
+         1. Success
+         2. Success
+         3. Success
+         4. Success
+         5. Success
+    """
+
+    PEM_FILE = 'Self-Signed-CA.pem'
+
+    standalone = topology_st.standalone
+
+    log.info('Enable TLS')
+    standalone.enable_tls()
+
+    log.info('Get certificate path')
+    if ds_is_older('1.4.3'):
+        cert_path = glob('/etc/dirsrv/slapd-{}/'.format(standalone.serverid))
+    else:
+        cert_path = glob('/tmp/systemd-private-*-dirsrv@{}.service-*/tmp/slapd-{}/'.format(standalone.serverid,
+                                                                                           standalone.serverid))
+    log.info('Check that {} is present'.format(PEM_FILE))
+    signed_cert = cert_path[0] + PEM_FILE
+    assert os.path.exists(signed_cert)
+
+    log.info('Trust the certificate')
+    subprocess.check_output(['trust', 'anchor', signed_cert])
+
+    log.info('Search if our certificate has category: authority')
+    result = subprocess.check_output(['trust', 'list'])
+    assert re.search(r'^(.*)label: ssca[.]389ds[.]example[.]com\n(.*).*\n.*category: authority$', ensure_str(result),
+                     re.MULTILINE)
+
+
 if __name__ == '__main__':
     # Run isolated
     # -s for DEBUG mode