From c708ef781ed0fec5ec6781e0e3b3fc5e4739fbbc Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 27 Jun 2019 12:58:50 +0200
Subject: [PATCH] New tests folder
There are currently only external signed CA tests:
external-signed-ca-with-automatic-copy
external-signed-ca-with-manual-copy
---
.../external-ca.sh | 49 +++++++++++++++++++
...r-with-external-ca-with-automatic-copy.yml | 36 ++++++++++++++
.../inventory | 8 +++
.../external-ca.sh | 49 +++++++++++++++++++
...rver-with-external-ca-with-manual-copy.yml | 49 +++++++++++++++++++
.../inventory | 8 +++
6 files changed, 199 insertions(+)
create mode 100644 tests/external-signed-ca-with-automatic-copy/external-ca.sh
create mode 100644 tests/external-signed-ca-with-automatic-copy/install-server-with-external-ca-with-automatic-copy.yml
create mode 100644 tests/external-signed-ca-with-automatic-copy/inventory
create mode 100644 tests/external-signed-ca-with-manual-copy/external-ca.sh
create mode 100644 tests/external-signed-ca-with-manual-copy/install-server-with-external-ca-with-manual-copy.yml
create mode 100644 tests/external-signed-ca-with-manual-copy/inventory
diff --git a/tests/external-signed-ca-with-automatic-copy/external-ca.sh b/tests/external-signed-ca-with-automatic-copy/external-ca.sh
new file mode 100644
index 00000000..bf4cb696
--- /dev/null
+++ b/tests/external-signed-ca-with-automatic-copy/external-ca.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+master=$1
+if [ -z "$master" ]; then
+ echo "ERROR: master is not set"
+ echo
+ echo "usage: $0 master-fqdn domain"
+ exit 0;
+fi
+
+PASSWORD="SomeCApassword"
+DBDIR="${master}-nssdb"
+PWDFILE="$DBDIR/pwdfile.txt"
+NOISE="/etc/passwd"
+
+domain=$2
+if [ -z "$domain" ]; then
+ echo "ERROR: domain is not set"
+ echo
+ echo "usage: $0 master-fqdn domain"
+ exit 0;
+fi
+
+if [ ! -f "${master}-ipa.csr" ]; then
+ echo "ERROR: ${master}-ipa.csr missing"
+ exit 1;
+fi
+
+ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
+IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
+
+rm -rf "$DBDIR"
+mkdir "$DBDIR"
+echo "$PASSWORD" > "$PWDFILE"
+certutil -N -d "$DBDIR" -f "$PWDFILE"
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
+ | certutil -d "$DBDIR" -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \
+ -s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID
+
+openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr"
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \
+ | certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \
+ -i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID
+
+openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem"
+certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
+cat "$DBDIR/external.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt"
+
+cp "$DBDIR/chain.crt" "${master}-chain.crt"
diff --git a/tests/external-signed-ca-with-automatic-copy/install-server-with-external-ca-with-automatic-copy.yml b/tests/external-signed-ca-with-automatic-copy/install-server-with-external-ca-with-automatic-copy.yml
new file mode 100644
index 00000000..e856fb40
--- /dev/null
+++ b/tests/external-signed-ca-with-automatic-copy/install-server-with-external-ca-with-automatic-copy.yml
@@ -0,0 +1,36 @@
+---
+- name: Playbook to configure IPA server step1
+ hosts: ipaserver
+ become: true
+ vars:
+ ipaserver_external_ca: yes
+ ipaserver_copy_csr_to_controller: yes
+
+ roles:
+ - role: ipaserver
+ state: present
+
+- name: Create CA, get /root/ipa.csr signed by your CA, ..
+ hosts: localhost
+ gather_facts: false
+
+ tasks:
+ - name: Run external-ca.sh
+ command: >
+ /bin/bash
+ external-ca.sh
+ "{{ groups.ipaserver[0] }}"
+ "{{ ipaserver_domain | default(groups.ipaserver[0].split('.')[1:] | join ('.')) }}"
+ args:
+ chdir: "{{ playbook_dir }}"
+
+- name: Playbook to configure IPA server step2
+ hosts: ipaserver
+ become: true
+ vars:
+ ipaserver_external_cert_files_from_controller: "{{ groups.ipaserver[0] + '-chain.crt' }}"
+ #ipaserver_external_ca_file: "{{ groups.ipaserver[0] + '-cacert.asc' }}"
+
+ roles:
+ - role: ipaserver
+ state: present
diff --git a/tests/external-signed-ca-with-automatic-copy/inventory b/tests/external-signed-ca-with-automatic-copy/inventory
new file mode 100644
index 00000000..e1694c0b
--- /dev/null
+++ b/tests/external-signed-ca-with-automatic-copy/inventory
@@ -0,0 +1,8 @@
+[ipaserver]
+ipaserver.test.local
+
+[ipaservcer:vars]
+ipaadmin_password=SomeADMINpassword
+ipadm_password=SomeDMpassword
+ipaserver_domain=test.local
+ipaserver_realm=TEST.LOCAL
diff --git a/tests/external-signed-ca-with-manual-copy/external-ca.sh b/tests/external-signed-ca-with-manual-copy/external-ca.sh
new file mode 100644
index 00000000..bf4cb696
--- /dev/null
+++ b/tests/external-signed-ca-with-manual-copy/external-ca.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+master=$1
+if [ -z "$master" ]; then
+ echo "ERROR: master is not set"
+ echo
+ echo "usage: $0 master-fqdn domain"
+ exit 0;
+fi
+
+PASSWORD="SomeCApassword"
+DBDIR="${master}-nssdb"
+PWDFILE="$DBDIR/pwdfile.txt"
+NOISE="/etc/passwd"
+
+domain=$2
+if [ -z "$domain" ]; then
+ echo "ERROR: domain is not set"
+ echo
+ echo "usage: $0 master-fqdn domain"
+ exit 0;
+fi
+
+if [ ! -f "${master}-ipa.csr" ]; then
+ echo "ERROR: ${master}-ipa.csr missing"
+ exit 1;
+fi
+
+ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
+IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
+
+rm -rf "$DBDIR"
+mkdir "$DBDIR"
+echo "$PASSWORD" > "$PWDFILE"
+certutil -N -d "$DBDIR" -f "$PWDFILE"
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
+ | certutil -d "$DBDIR" -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \
+ -s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID
+
+openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr"
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \
+ | certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \
+ -i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID
+
+openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem"
+certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
+cat "$DBDIR/external.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt"
+
+cp "$DBDIR/chain.crt" "${master}-chain.crt"
diff --git a/tests/external-signed-ca-with-manual-copy/install-server-with-external-ca-with-manual-copy.yml b/tests/external-signed-ca-with-manual-copy/install-server-with-external-ca-with-manual-copy.yml
new file mode 100644
index 00000000..33b466ca
--- /dev/null
+++ b/tests/external-signed-ca-with-manual-copy/install-server-with-external-ca-with-manual-copy.yml
@@ -0,0 +1,49 @@
+---
+- name: Playbook to configure IPA server step1
+ hosts: ipaserver
+ become: true
+ vars:
+ ipaserver_external_ca: yes
+
+ roles:
+ - role: ipaserver
+ state: present
+
+ post_tasks:
+ - name: Copy CSR /root/ipa.csr from node to "{{ groups.ipaserver[0] + '-ipa.csr' }}"
+ fetch:
+ src: /root/ipa.csr
+ dest: "{{ groups.ipaserver[0] + '-ipa.csr' }}"
+ flat: yes
+
+- name: Get /root/ipa.csr, create CA, sign with our CA and copy to node
+ hosts: localhost
+ gather_facts: false
+
+ tasks:
+ - name: Run external-ca.sh
+ command: >
+ /bin/bash
+ external-ca.sh
+ "{{ groups.ipaserver[0] }}"
+ "{{ ipaserver_domain | default(groups.ipaserver[0].split('.')[1:] | join ('.')) }}"
+ args:
+ chdir: "{{ playbook_dir }}"
+
+- name: Playbook to configure IPA server step2
+ hosts: ipaserver
+ become: true
+ vars:
+ ipaserver_external_cert_files: "/root/chain.crt"
+ #ipaserver_external_ca_file: "cacert.asc"
+
+ pre_tasks:
+ - name: Copy "{{ groups.ipaserver[0] + '-chain.crt' }}" to /root/chain.crt on node
+ copy:
+ src: "{{ groups.ipaserver[0] + '-chain.crt' }}"
+ dest: "/root/chain.crt"
+ force: yes
+
+ roles:
+ - role: ipaserver
+ state: present
diff --git a/tests/external-signed-ca-with-manual-copy/inventory b/tests/external-signed-ca-with-manual-copy/inventory
new file mode 100644
index 00000000..e1694c0b
--- /dev/null
+++ b/tests/external-signed-ca-with-manual-copy/inventory
@@ -0,0 +1,8 @@
+[ipaserver]
+ipaserver.test.local
+
+[ipaservcer:vars]
+ipaadmin_password=SomeADMINpassword
+ipadm_password=SomeDMpassword
+ipaserver_domain=test.local
+ipaserver_realm=TEST.LOCAL
--
GitLab