From 8e92190db866e7eb05aaaf41609b442f201d5c08 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Jun 07 2020 07:38:27 +0000 Subject: ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname Add integration test that confirms that on CA-ful installation, the (non-3rd-party) HTTP certificate bears the ipa-ca.$DOMAIN DNS name. For detailed discussion on the purpose of this change and the design decisions made, see `git log -1 $THIS_COMMIT~4`. Part of: https://pagure.io/freeipa/issue/8186 Reviewed-By: Rob Crittenden Reviewed-By: Rob Crittenden --- diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 8f8e9a8..01a2100 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -17,6 +17,7 @@ from datetime import datetime, timedelta import pytest from cryptography.hazmat.primitives import hashes +from cryptography import x509 as crypto_x509 from ipalib import x509 from ipalib.constants import DOMAIN_LEVEL_0 @@ -737,6 +738,17 @@ class TestInstallMaster(IntegrationTest): assert key_size == 2048 assert cert.signature_hash_algorithm.name == hashes.SHA256.name + def test_http_cert(self): + """ + Test that HTTP certificate contains ipa-ca.$DOMAIN + DNS name. + + """ + data = self.master.get_file_contents(paths.HTTPD_CERT_FILE) + cert = x509.load_pem_x509_certificate(data) + name = f'ipa-ca.{self.master.domain.name}' + assert crypto_x509.DNSName(name) in cert.san_general_names + def test_p11_kit_softhsm2(self): # check that p11-kit-proxy does not inject SoftHSM2 result = self.master.run_command([