From b478bf99d9f158dabae145169f242b2b5d26404c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Dec 02 2020 19:32:26 +0000
Subject: ipatests: Test that ipa-ca.$domain can retrieve CRLs without redirect


https://pagure.io/freeipa/issue/8595

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index b5df42b..1335b29 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -21,6 +21,7 @@ from cryptography import x509 as crypto_x509
 
 from ipalib import x509
 from ipalib.constants import DOMAIN_LEVEL_0
+from ipalib.constants import IPA_CA_RECORD
 from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE
 from ipapython.dn import DN
 from ipaplatform.constants import constants
@@ -1039,6 +1040,64 @@ class TestInstallMaster(IntegrationTest):
         }
         assert ('200', 'ipa', 'pp') in entries
 
+    def test_ipaca_no_redirect(self):
+        """Test that ipa-ca.$DOMAIN does not redirect
+
+           ipa-ca is a valid name for an IPA server. It should not
+           require a redirect.
+
+           CRL generation does not need to be enabled for this test.
+           We aren't exactly testing that a CRL can be retrieved, just
+           that the redirect doesn't happen.
+        """
+
+        def run_request(url, expected_stdout=None, expected_stderr=None):
+            result = self.master.run_command(['curl', '-s', '-v', url])
+            if expected_stdout:
+                assert expected_stdout in result.stdout_text
+            if expected_stderr:
+                assert expected_stderr in result.stderr_text
+
+        # CRL publishing on start-up is disabled so drop a file there
+        crlfile = os.path.join(paths.PKI_CA_PUBLISH_DIR, 'MasterCRL.bin')
+        self.master.put_file_contents(crlfile, 'secret')
+
+        hosts = (
+            f'{IPA_CA_RECORD}.{self.master.domain.name}',
+            self.master.hostname,
+        )
+
+        # Positive tests. Both hosts can serve these.
+        urls = (
+            'http://{host}/ipa/crl/MasterCRL.bin',
+            'http://{host}/ca/ocsp',
+            'https://{host}/ca/admin/ca/getCertChain',
+            'https://{host}/acme/',
+        )
+        for url in urls:
+            for host in hosts:
+                run_request(
+                    url.format(host=host),
+                    expected_stderr='HTTP/1.1 200'
+                )
+
+        # Negative tests. ipa-ca cannot serve these and will redirect and
+        # test that existing redirect for unencrypted still works
+        urls = (
+            'http://{host}/',
+            'http://{host}/ipa/json',
+            'http://{carecord}.{domain}/ipa/json',
+            'https://{carecord}.{domain}/ipa/json',
+            'http://{carecord}.{domain}/ipa/config/ca.crt',
+        )
+        for url in urls:
+            run_request(
+                url.format(host=self.master.hostname,
+                           domain=self.master.domain.name,
+                           carecord=IPA_CA_RECORD),
+                expected_stdout=f'href="https://{self.master.hostname}/'
+            )
+
 
 class TestInstallMasterKRA(IntegrationTest):