[Freeipa-devel] [freeipa PR#1896][opened] Make ipatests' create_external_ca a script

Wed, 02 May 2018 03:47:13 -0700 

   URL: https://github.com/freeipa/freeipa/pull/1896
Author: tiran
 Title: #1896: Make ipatests' create_external_ca a script
Action: opened

PR body:
"""
The test helper create_external_ca is useful to create an external root
CA and sign ipa.csr for external CA testing. I also moved the file into
ipatests top package to make the import shorter and to avoid an import
warning.

Usage:

   ipa-server-install --external-ca ...
   python3 -m ipatests.create_external_ca
   ipa-server-install --external-cert-file=/tmp/rootca.pem \
       --external-cert-file=/tmp/ipaca.pem

Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1896/head:pr1896
git checkout pr1896

From 849611d3bcdd9dffcc7ebee82e9b8a34ed3d0f11 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 2 May 2018 12:40:43 +0200
Subject: [PATCH] Make ipatests' create_external_ca a script

The test helper create_external_ca is useful to create an external root
CA and sign ipa.csr for external CA testing. I also moved the file into
ipatests top package to make the import shorter and to avoid an import
warning.

Usage:

   ipa-server-install --external-ca ...
   python3 -m ipatests.create_external_ca
   ipa-server-install --external-cert-file=/tmp/rootca.pem \
       --external-cert-file=/tmp/ipaca.pem

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .../integration => }/create_external_ca.py         | 62 ++++++++++++++++++----
 ipatests/pytest_plugins/integration/tasks.py       |  2 +-
 ipatests/test_integration/test_caless.py           |  2 +-
 ipatests/test_integration/test_external_ca.py      |  2 +-
 4 files changed, 56 insertions(+), 12 deletions(-)
 rename ipatests/{pytest_plugins/integration => }/create_external_ca.py (74%)

diff --git a/ipatests/pytest_plugins/integration/create_external_ca.py b/ipatests/create_external_ca.py
similarity index 74%
rename from ipatests/pytest_plugins/integration/create_external_ca.py
rename to ipatests/create_external_ca.py
index dc4ef048cc..c308efecbf 100644
--- a/ipatests/pytest_plugins/integration/create_external_ca.py
+++ b/ipatests/create_external_ca.py
@@ -15,6 +15,8 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import argparse
+
 from cryptography import x509
 from cryptography.x509.oid import NameOID
 from cryptography.hazmat.primitives import hashes
@@ -30,6 +32,10 @@ class ExternalCA(object):
     """
     Provide external CA for testing
     """
+    def __init__(self, days=365):
+        self.now = datetime.datetime.utcnow()
+        self.delta = datetime.timedelta(days=days)
+
     def create_ca(self, cn='example.test'):
         """Create root CA.
 
@@ -52,10 +58,8 @@ def create_ca(self, cn='example.test'):
         builder = builder.issuer_name(self.issuer)
         builder = builder.public_key(self.ca_public_key)
         builder = builder.serial_number(x509.random_serial_number())
-        builder = builder.not_valid_before(datetime.datetime.utcnow())
-        builder = builder.not_valid_after(
-                  datetime.datetime.utcnow() + datetime.timedelta(days=365)
-                  )
+        builder = builder.not_valid_before(self.now)
+        builder = builder.not_valid_after(self.now + self.delta)
 
         builder = builder.add_extension(
             x509.KeyUsage(
@@ -93,7 +97,7 @@ def create_ca(self, cn='example.test'):
 
         return cert.public_bytes(serialization.Encoding.PEM)
 
-    def sign_csr(self, ipa_csr):
+    def sign_csr(self, ipa_csr, path_length=1):
         """Sign certificate CSR.
 
         :param ipa_csr: CSR in PEM format.
@@ -110,9 +114,8 @@ def sign_csr(self, ipa_csr):
         builder = builder.subject_name(csr_subject)
         builder = builder.serial_number(x509.random_serial_number())
         builder = builder.issuer_name(self.issuer)
-        builder = builder.not_valid_before(datetime.datetime.utcnow())
-        builder = builder.not_valid_after(
-                  datetime.datetime.utcnow() + datetime.timedelta(days=365))
+        builder = builder.not_valid_before(self.now)
+        builder = builder.not_valid_after(self.now + self.delta)
 
         builder = builder.add_extension(
             x509.KeyUsage(
@@ -142,7 +145,7 @@ def sign_csr(self, ipa_csr):
         )
 
         builder = builder.add_extension(
-            x509.BasicConstraints(ca=True, path_length=1),
+            x509.BasicConstraints(ca=True, path_length=path_length),
             critical=True,
         )
 
@@ -153,3 +156,44 @@ def sign_csr(self, ipa_csr):
         )
 
         return cert.public_bytes(serialization.Encoding.PEM)
+
+
+def main():
+    IPA_CSR = '/root/ipa.csr'
+    ROOT_CA = '/tmp/rootca.pem'
+    IPA_CA = '/tmp/ipaca.pem'
+    parser = argparse.ArgumentParser("Create external CA")
+    parser.add_argument(
+        '--csr', type=argparse.FileType('rb'), default=IPA_CSR,
+        help="Path to ipa.csr (default: {})".format(IPA_CSR)
+    )
+    parser.add_argument(
+        '--rootca', type=argparse.FileType('wb'), default=ROOT_CA,
+        help="New root CA file (default: {})".format(ROOT_CA)
+    )
+    parser.add_argument(
+        '--ipaca', type=argparse.FileType('wb'), default=IPA_CA,
+        help="New IPA CA file (default: {})".format(ROOT_CA)
+    )
+
+    args = parser.parse_args()
+
+    with args.csr as f:
+        ipa_csr = f.read()
+
+    external_ca = ExternalCA()
+    root_ca = external_ca.create_ca()
+    ipa_ca = external_ca.sign_csr(ipa_csr)
+
+    with args.rootca as f:
+        f.write(root_ca)
+
+    with args.ipaca as f:
+        f.write(ipa_ca)
+
+    o = "ipa-server-install --external-cert-file={} --external-cert-file={}"
+    print(o.format(args.rootca.name, args.ipaca.name))
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py
index 95e8359d0b..6d13fd06a5 100644
--- a/ipatests/pytest_plugins/integration/tasks.py
+++ b/ipatests/pytest_plugins/integration/tasks.py
@@ -43,7 +43,7 @@
 from ipalib.constants import (
     DEFAULT_CONFIG, DOMAIN_SUFFIX_NAME, DOMAIN_LEVEL_0)
 
-from .create_external_ca import ExternalCA
+from ipatests.create_external_ca import ExternalCA
 from .env_config import env_to_script
 from .host import Host
 
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index b29320274f..1666b1ce41 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -37,7 +37,7 @@
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_plugins.integration import tasks
-from ipatests.pytest_plugins.integration.create_external_ca import ExternalCA
+from ipatests.create_external_ca import ExternalCA
 from ipatests.pytest_plugins.integration import create_caless_pki
 from ipalib.constants import DOMAIN_LEVEL_0
 
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index ee0abefa0e..3bcbcbfdcd 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -27,7 +27,7 @@
 from ipaplatform.paths import paths
 
 from itertools import chain, repeat
-from ipatests.pytest_plugins.integration.create_external_ca import ExternalCA
+from ipatests.create_external_ca import ExternalCA
 
 IPA_CA = 'ipa_ca.crt'
 ROOT_CA = 'root_ca.crt'

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to