URL: https://github.com/freeipa/freeipa/pull/1896 Author: tiran Title: #1896: Make ipatests' create_external_ca a script Action: opened
PR body: """ The test helper create_external_ca is useful to create an external root CA and sign ipa.csr for external CA testing. I also moved the file into ipatests top package to make the import shorter and to avoid an import warning. Usage: ipa-server-install --external-ca ... python3 -m ipatests.create_external_ca ipa-server-install --external-cert-file=/tmp/rootca.pem \ --external-cert-file=/tmp/ipaca.pem Signed-off-by: Christian Heimes <chei...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1896/head:pr1896 git checkout pr1896
From 849611d3bcdd9dffcc7ebee82e9b8a34ed3d0f11 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Wed, 2 May 2018 12:40:43 +0200 Subject: [PATCH] Make ipatests' create_external_ca a script The test helper create_external_ca is useful to create an external root CA and sign ipa.csr for external CA testing. I also moved the file into ipatests top package to make the import shorter and to avoid an import warning. Usage: ipa-server-install --external-ca ... python3 -m ipatests.create_external_ca ipa-server-install --external-cert-file=/tmp/rootca.pem \ --external-cert-file=/tmp/ipaca.pem Signed-off-by: Christian Heimes <chei...@redhat.com> --- .../integration => }/create_external_ca.py | 62 ++++++++++++++++++---- ipatests/pytest_plugins/integration/tasks.py | 2 +- ipatests/test_integration/test_caless.py | 2 +- ipatests/test_integration/test_external_ca.py | 2 +- 4 files changed, 56 insertions(+), 12 deletions(-) rename ipatests/{pytest_plugins/integration => }/create_external_ca.py (74%) diff --git a/ipatests/pytest_plugins/integration/create_external_ca.py b/ipatests/create_external_ca.py similarity index 74% rename from ipatests/pytest_plugins/integration/create_external_ca.py rename to ipatests/create_external_ca.py index dc4ef048cc..c308efecbf 100644 --- a/ipatests/pytest_plugins/integration/create_external_ca.py +++ b/ipatests/create_external_ca.py @@ -15,6 +15,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import argparse + from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.primitives import hashes @@ -30,6 +32,10 @@ class ExternalCA(object): """ Provide external CA for testing """ + def __init__(self, days=365): + self.now = datetime.datetime.utcnow() + self.delta = datetime.timedelta(days=days) + def create_ca(self, cn='example.test'): """Create root CA. @@ -52,10 +58,8 @@ def create_ca(self, cn='example.test'): builder = builder.issuer_name(self.issuer) builder = builder.public_key(self.ca_public_key) builder = builder.serial_number(x509.random_serial_number()) - builder = builder.not_valid_before(datetime.datetime.utcnow()) - builder = builder.not_valid_after( - datetime.datetime.utcnow() + datetime.timedelta(days=365) - ) + builder = builder.not_valid_before(self.now) + builder = builder.not_valid_after(self.now + self.delta) builder = builder.add_extension( x509.KeyUsage( @@ -93,7 +97,7 @@ def create_ca(self, cn='example.test'): return cert.public_bytes(serialization.Encoding.PEM) - def sign_csr(self, ipa_csr): + def sign_csr(self, ipa_csr, path_length=1): """Sign certificate CSR. :param ipa_csr: CSR in PEM format. @@ -110,9 +114,8 @@ def sign_csr(self, ipa_csr): builder = builder.subject_name(csr_subject) builder = builder.serial_number(x509.random_serial_number()) builder = builder.issuer_name(self.issuer) - builder = builder.not_valid_before(datetime.datetime.utcnow()) - builder = builder.not_valid_after( - datetime.datetime.utcnow() + datetime.timedelta(days=365)) + builder = builder.not_valid_before(self.now) + builder = builder.not_valid_after(self.now + self.delta) builder = builder.add_extension( x509.KeyUsage( @@ -142,7 +145,7 @@ def sign_csr(self, ipa_csr): ) builder = builder.add_extension( - x509.BasicConstraints(ca=True, path_length=1), + x509.BasicConstraints(ca=True, path_length=path_length), critical=True, ) @@ -153,3 +156,44 @@ def sign_csr(self, ipa_csr): ) return cert.public_bytes(serialization.Encoding.PEM) + + +def main(): + IPA_CSR = '/root/ipa.csr' + ROOT_CA = '/tmp/rootca.pem' + IPA_CA = '/tmp/ipaca.pem' + parser = argparse.ArgumentParser("Create external CA") + parser.add_argument( + '--csr', type=argparse.FileType('rb'), default=IPA_CSR, + help="Path to ipa.csr (default: {})".format(IPA_CSR) + ) + parser.add_argument( + '--rootca', type=argparse.FileType('wb'), default=ROOT_CA, + help="New root CA file (default: {})".format(ROOT_CA) + ) + parser.add_argument( + '--ipaca', type=argparse.FileType('wb'), default=IPA_CA, + help="New IPA CA file (default: {})".format(ROOT_CA) + ) + + args = parser.parse_args() + + with args.csr as f: + ipa_csr = f.read() + + external_ca = ExternalCA() + root_ca = external_ca.create_ca() + ipa_ca = external_ca.sign_csr(ipa_csr) + + with args.rootca as f: + f.write(root_ca) + + with args.ipaca as f: + f.write(ipa_ca) + + o = "ipa-server-install --external-cert-file={} --external-cert-file={}" + print(o.format(args.rootca.name, args.ipaca.name)) + + +if __name__ == '__main__': + main() diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py index 95e8359d0b..6d13fd06a5 100644 --- a/ipatests/pytest_plugins/integration/tasks.py +++ b/ipatests/pytest_plugins/integration/tasks.py @@ -43,7 +43,7 @@ from ipalib.constants import ( DEFAULT_CONFIG, DOMAIN_SUFFIX_NAME, DOMAIN_LEVEL_0) -from .create_external_ca import ExternalCA +from ipatests.create_external_ca import ExternalCA from .env_config import env_to_script from .host import Host diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index b29320274f..1666b1ce41 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -37,7 +37,7 @@ from ipapython.dn import DN from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_plugins.integration import tasks -from ipatests.pytest_plugins.integration.create_external_ca import ExternalCA +from ipatests.create_external_ca import ExternalCA from ipatests.pytest_plugins.integration import create_caless_pki from ipalib.constants import DOMAIN_LEVEL_0 diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py index ee0abefa0e..3bcbcbfdcd 100644 --- a/ipatests/test_integration/test_external_ca.py +++ b/ipatests/test_integration/test_external_ca.py @@ -27,7 +27,7 @@ from ipaplatform.paths import paths from itertools import chain, repeat -from ipatests.pytest_plugins.integration.create_external_ca import ExternalCA +from ipatests.create_external_ca import ExternalCA IPA_CA = 'ipa_ca.crt' ROOT_CA = 'root_ca.crt'
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org