From ad996d79c639f92f57a20503b583ae68c77521e8 Mon Sep 17 00:00:00 2001
From: Michal Reznik <mreznik@redhat.com>
Date: Jan 09 2018 09:17:01 +0000
Subject: test_external_ca: selfsigned->ext_ca->selfsigned


Add selfsigned > external_ca > selfsigned test case.

Covers Pagure issue #7106

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index e3c4410..6d23f06 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -15,11 +15,53 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import os
+import re
+import time
 
 from ipatests.pytest_plugins.integration import tasks
 from ipatests.test_integration.base import IntegrationTest
-from ipatests.test_integration.create_external_ca import ExternalCA
+from ipaplatform.paths import paths
+
+from itertools import chain, repeat
+
+IPA_CA = 'ipa_ca.crt'
+ROOT_CA = 'root_ca.crt'
+
+# string to identify PKI restart in the journal
+PKI_START_STR = 'Started pki_tomcatd'
+
+
+def check_CA_flag(host, nssdb=paths.PKI_TOMCAT_ALIAS_DIR,
+                  cn='example.test'):
+    """
+    Check if external CA (by default 'example.test' in our test env) has
+    CA flag in nssdb.
+    """
+    result = host.run_command(['certutil', '-L', '-d', nssdb])
+    text = result.stdout_text
+
+    # match CN in cert nickname and C flag in SSL section of NSS flags table
+    match_CA_flag = re.compile('.*{}.*\s+C'.format(cn))
+    match = re.search(match_CA_flag, text)
+
+    return match
+
+
+def match_in_journal(host, string, since='today', services=('certmonger',)):
+    """
+    Returns match object for the particular string.
+    """
+    # prepend '-u' before every service name
+    service_args = list(chain.from_iterable(list(zip(repeat('-u'), services))))
+    command_args = ['journalctl', '--since={}'.format(since)] + service_args
+    result = host.run_command(command_args)
+
+    output = result.stdout_text
+
+    traceback = re.compile(string)
+    match = re.search(traceback, output)
+
+    return match
 
 
 class TestExternalCA(IntegrationTest):
@@ -40,23 +82,9 @@ class TestExternalCA(IntegrationTest):
             '--external-ca'
         ])
 
-        test_dir = self.master.config.test_dir
-
-        # Get IPA CSR as bytes
-        ipa_csr = self.master.get_file_contents('/root/ipa.csr')
-
-        external_ca = ExternalCA()
-        # Create root CA
-        root_ca = external_ca.create_ca()
-        # Sign CSR
-        ipa_ca = external_ca.sign_csr(ipa_csr)
-
-        root_ca_fname = os.path.join(test_dir, 'root_ca.crt')
-        ipa_ca_fname = os.path.join(test_dir, 'ipa_ca.crt')
-
-        # Transport certificates (string > file) to master
-        self.master.put_file_contents(root_ca_fname, root_ca)
-        self.master.put_file_contents(ipa_ca_fname, ipa_ca)
+        # Sign CA, transport it to the host and get ipa a root ca paths.
+        root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
+            self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
 
         # Step 2 of ipa-server-install
         self.master.run_command([
@@ -71,3 +99,62 @@ class TestExternalCA(IntegrationTest):
         tasks.kinit_admin(self.master)
         result = self.master.run_command(['ipa', 'user-show', 'admin'])
         assert 'User login: admin' in result.stdout_text
+
+
+class TestSelfExternalSelf(IntegrationTest):
+    """
+    Test self-signed > external CA > self-signed test case.
+    """
+    def test_install_master(self):
+        result = tasks.install_master(self.master)
+        assert result.returncode == 0
+
+    def test_switch_to_external_ca(self):
+
+        result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
+                                         '--external-ca'])
+        assert result.returncode == 0
+
+        # Sign CA, transport it to the host and get ipa a root ca paths.
+        root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
+            self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA)
+
+        # renew CA with externally signed one
+        result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
+                                          '--external-cert-file={}'.
+                                          format(ipa_ca_fname),
+                                          '--external-cert-file={}'.
+                                          format(root_ca_fname)])
+        assert result.returncode == 0
+
+        # update IPA certificate databases
+        result = self.master.run_command([paths.IPA_CERTUPDATE])
+        assert result.returncode == 0
+
+        # Check if external CA have "C" flag after the switch
+        result = check_CA_flag(self.master)
+        assert bool(result), ('External CA does not have "C" flag')
+
+    def test_switch_back_to_self_signed(self):
+
+        # for journalctl --since
+        switch_time = time.strftime('%H:%M:%S')
+        # switch back to self-signed CA
+        result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
+                                          '--self-signed'])
+        assert result.returncode == 0
+
+        # Confirm there is no traceback in the journal
+        result = match_in_journal(self.master, since=switch_time,
+                                  string='Traceback')
+        assert not bool(result), ('"Traceback" keyword found in the journal.'
+                                  'Please check further')
+
+        # Check if pki-tomcatd was started after switching back.
+        result = match_in_journal(self.master, since=switch_time,
+                                  string=PKI_START_STR)
+        assert bool(result), ('pki_tomcatd not started after switching back to'
+                              'self-signed CA')
+
+        result = self.master.run_command([paths.IPA_CERTUPDATE])
+        assert result.returncode == 0