From da2079ce2cc841aec56da872131112eb24326f81 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Aug 06 2020 14:10:50 +0000 Subject: ipatests: Check permissions of /etc/ipa/ca.crt new installations It should be 0644 root:root for both CA-ful and CA-less installs. https://pagure.io/freeipa/issue/8441 Reviewed-By: Alexander Bokovoy --- diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index 1ea7d98..16dfbb3 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -394,6 +394,14 @@ class CALessBase(IntegrationTest): host, cert_from_ldap.public_bytes(x509.Encoding.PEM)) assert cert_from_ldap == expected_cacrt + result = host.run_command( + ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT] + ) + (owner, group, mode) = result.stdout_text.strip().split(':') + assert owner == "root" + assert group == "root" + assert mode == "644" + # Verify certmonger was not started result = host.run_command(['getcert', 'list'], raiseonerr=False) assert result.returncode == 0 diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 100a5a7..fb19900 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -346,6 +346,16 @@ class TestInstallCA(IntegrationTest): status = tasks.wait_for_request(self.master, request_id[0], 300) assert status == "MONITORING" + def test_ipa_ca_crt_permissions(self): + """Verify that /etc/ipa/ca.cert is mode 0644 root:root""" + result = self.master.run_command( + ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT] + ) + out = str(result.stdout_text.strip()) + (owner, group, mode) = out.split(':') + assert mode == "644" + assert owner == "root" + assert group == "root" class TestInstallWithCA_KRA1(InstallTestBase1):