root@sssd2:~# apt-get python-openssl
dpkg -i http://ftp.us.debian.org/debian/pool/main/n/nss-wrapper/libnss-wrapper_1.1.2-1_amd64.deb dpkg -i http://security.kali.org/pool/main/l/linux/linux-libc-dev_3.16.7-ckt20-1+deb8u4_amd64.deb
On Sun, Feb 28, 2016 at 08:19:57PM -0500, Dan Lavu wrote:I've made most of the the suggested changes but I'm going to take sometime and get the test running on Debian as well (Mostly to find out if /etc/pki is a Red Hat thing or not). Fedora and Debian are the only distros we are testing/supporting against correct?Yes, we support RHEL >= 6, Fedora (all supported versions) and Debian Testing.Also wondering if the ci setup issue I'm seeing applies to apt. Dan On 2/26/16 5:53 AM, Jakub Hrozek wrote:On Thu, Feb 25, 2016 at 05:18:09PM -0500, Dan Lavu wrote:Here is a patch for https://fedorahosted.org/sssd/ticket/2820 First real patch... criticisms to for what I need to improve on are welcome, including concepts that I should learn, thanks.Thanks a lot for the patch! See my comments inline:From 529adb3e0d763a8ee9ba9b4c5b13f933d723e8de Mon Sep 17 00:00:00 2001 From: Dan Lavu <dlavu@redhat.com> Date: Fri, 5 Feb 2016 08:51:07 -0500 Subject: [PATCH] Adding SSL encryption to integration tests. --- src/tests/intg/ca.py | 166 ++++++++++++++++++++++++++++++++++++++++++ src/tests/intg/ds_openldap.py | 14 ++++ 2 files changed, 180 insertions(+) create mode 100644 src/tests/intg/ca.py diff --git a/src/tests/intg/ca.py b/src/tests/intg/ca.py new file mode 100644 index 0000000000000000000000000000000000000000..a44a92e5d5053338dabd7d8d82d2b1d50ec7594e --- /dev/null +++ b/src/tests/intg/ca.py @@ -0,0 +1,166 @@ +# +# SSSD LOCAL domain tests +# +# Copyright (c) 2016 Red Hat, Inc. +# Author: Dan Lavu <dan@redhat.com> +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from OpenSSL import crypto +from os.path import exists, join + +import socket +import os +import fnmatch + + +class CA:It would be nice to use the new-style classes, so class CA(object)+ """CA Class""" + + def __init__(self, subject=None, country=None, state=None, + city=None, organization=None, unit=None, config_dir=None): + if subject is None: + self.subject = socket.gethostname() + if country is None: + self.country = 'US' + if state is None: + self.state = 'NC' + if city is None: + self.city = 'Raleigh' + if organization is None: + self.organization = 'Red Hat' + if unit is None: + self.unit = 'SSSD' + if config_dir is None: + self.config_dir = '/etc/pki'/etc/pki is not writable unless you're root. We should store the certs in another directory writable by any user. Maybe this is something Nikolai (CC) could help us with, I know we use fakeroot to set up the directory structure, but I'm fuzzy on the details, so I don't know myself which part of the tests we should exactly touch.. Also, does the /etc/pki path exists on Debian and other distributions or is it Red Hat-centric? When we have this done, hopefully we can remove the use of 'ldap_auth_disable_tls_never_use_in_production' from our tests?+ + self.hostname = socket.gethostname()This is maybe something to fix in a later iteration of the patch, but I wonder if it was useful to override the hostname to something else than what gethostname() reports. Not sure at the moment..+ self.csr_dir = self.config_dir + '/CA/newcerts' + self.key_dir = self.config_dir + '/tls/private' + self.cert_dir = self.config_dir + '/tls/certs' + + self.index = int(1000) + + + def setup(self): + """Setup CA using OpenSSL""" + cacert = socket.gethostname() + '-ca.crt' + cakey = socket.gethostname() + '-ca.key'Instead of using socket.gethostname(), maybe using self.hostname would be better here (and elsewhere) ?+ + if not exists(join(self.cert_dir, cacert)) or not exists(join(self.key_dir, cakey)): + key = crypto.PKey() + key.generate_key(crypto.TYPE_RSA, 2048) + + ca = crypto.X509() + ca.get_subject().C = self.country + ca.get_subject().ST = self.state + ca.get_subject().L = self.city + ca.get_subject().O = self.organization + ca.get_subject().OU = self.unit + ca.get_subject().CN = self.subject + ca.set_serial_number(self.index) + ca.gmtime_adj_notBefore(0) + ca.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) + ca.set_issuer(ca.get_subject()) + ca.set_pubkey(key) + ca.sign(key, 'sha1')