From 7f30ddb1b7e30c22f9b7d14d2658b58a0ea6b459 Mon Sep 17 00:00:00 2001

From: Mohammad Rizwan <myusuf@redhat.com>

Date: Tue, 2 Feb 2021 17:33:57 +0530

Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs

Test moves system date to expire certs. Then calls ipa-cert-fix

to renew them. This certs include subsystem, audit-signing,

OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.

related: https://pagure.io/freeipa/issue/7885

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

Reviewed-By: Anuja More <amore@redhat.com>

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

Reviewed-By: Anuja More <amore@redhat.com>

---

 .../test_integration/test_ipa_cert_fix.py     | 60 +++++++++++++++++++

 1 file changed, 60 insertions(+)

diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py

index f9e5fe6e2..da68af573 100644

--- a/ipatests/test_integration/test_ipa_cert_fix.py

+++ b/ipatests/test_integration/test_ipa_cert_fix.py

@@ -8,12 +8,16 @@ Module provides tests for ipa-cert-fix CLI.

 import pytest

 import time

+import logging

 from ipaplatform.paths import paths

 from ipatests.pytest_ipa.integration import tasks

 from ipatests.test_integration.base import IntegrationTest

 from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup

+logger = logging.getLogger(__name__)

+

+

 def server_install_teardown(func):

     def wrapped(*args):

         master = args[0].master

@@ -24,6 +28,26 @@ def server_install_teardown(func):

     return wrapped

+def check_status(host, cert_count, state, timeout=600):

+    """Helper method to check that if all the certs are in given state

+    :param host: the host

+    :param cert_count: no of cert to look for

+    :param state: state to check for

+    :param timeout: max time in seconds to wait for the state

+    """

+    for _i in range(0, timeout, 10):

+        result = host.run_command(['getcert', 'list'])

+        count = result.stdout_text.count(f"status: {state}")

+        logger.info("cert count in %s state : %s", state, count)

+        if int(count) == cert_count:

+            break

+        time.sleep(10)

+    else:

+        raise RuntimeError("request timed out")

+

+    return count

+

+

 class TestIpaCertFix(IntegrationTest):

     @classmethod

     def uninstall(cls, mh):

@@ -106,6 +130,42 @@ class TestIpaCertFix(IntegrationTest):

                 # timeout

                 raise AssertionError('Timeout: Failed to renew all the certs')

+    def test_renew_expired_cert_on_master(self, expire_cert_critical):

+        """Test if ipa-cert-fix renews expired certs

+

+        Test moves system date to expire certs. Then calls ipa-cert-fix

+        to renew them. This certs include subsystem, audit-signing,

+        OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.

+

+        related: https://pagure.io/freeipa/issue/7885

+        """

+        # wait for cert expiry

+        check_status(self.master, 8, "CA_UNREACHABLE")

+

+        self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')

+

+        check_status(self.master, 9, "MONITORING")

+

+        # second iteration of ipa-cert-fix

+        result = self.master.run_command(

+            ['ipa-cert-fix', '-v'],

+            stdin_text='yes\n'

+        )

+        assert "Nothing to do" in result.stdout_text

+        check_status(self.master, 9, "MONITORING")

+

+    def test_ipa_cert_fix_non_ipa(self):

+        """Test ipa-cert-fix doesn't work on non ipa system

+

+        ipa-cert-fix tool should not work on non ipa system.

+

+        related: https://pagure.io/freeipa/issue/7885

+        """

+        result = self.master.run_command(['ipa-cert-fix', '-v'],

+                                         stdin_text='yes\n',

+                                         raiseonerr=False)

+        assert result.returncode == 2

+

 class TestIpaCertFixThirdParty(CALessBase):

     """

-- 

2.29.2

From 36a60dbb35cb4429f00528f79bec8b7982a30c74 Mon Sep 17 00:00:00 2001

From: Mohammad Rizwan <myusuf@redhat.com>

Date: Thu, 11 Feb 2021 16:54:22 +0530

Subject: [PATCH] Move fixture outside the class and add setup_kra capability

Moved fixture to use across multiple classes. Added capability

to install the KRA to the fixture

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

Reviewed-By: Anuja More <amore@redhat.com>

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

Reviewed-By: Anuja More <amore@redhat.com>

---

 .../test_integration/test_ipa_cert_fix.py     | 46 ++++++++++++-------

 1 file changed, 30 insertions(+), 16 deletions(-)

diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py

index da68af573..591dc5031 100644

--- a/ipatests/test_integration/test_ipa_cert_fix.py

+++ b/ipatests/test_integration/test_ipa_cert_fix.py

@@ -48,6 +48,33 @@ def check_status(host, cert_count, state, timeout=600):

     return count

+@pytest.fixture

+def expire_cert_critical():

+    """

+    Fixture to expire the certs by moving the system date using

+    date -s command and revert it back

+    """

+

+    hosts = dict()

+

+    def _expire_cert_critical(host, setup_kra=False):

+        hosts['host'] = host

+        # Do not install NTP as the test plays with the date

+        tasks.install_master(host, setup_dns=False,

+                             extra_args=['--no-ntp'])

+        if setup_kra:

+            tasks.install_kra(host)

+        host.run_command(['systemctl', 'stop', 'chronyd'])

+        host.run_command(['date', '-s', '+3Years+1day'])

+

+    yield _expire_cert_critical

+

+    host = hosts.pop('host')

+    tasks.uninstall_master(host)

+    host.run_command(['date', '-s', '-3Years-1day'])

+    host.run_command(['systemctl', 'start', 'chronyd'])

+

+

 class TestIpaCertFix(IntegrationTest):

     @classmethod

     def uninstall(cls, mh):

@@ -55,22 +82,6 @@ class TestIpaCertFix(IntegrationTest):

         # the fixture

         pass

-    @pytest.fixture

-    def expire_cert_critical(self):

-        """

-        Fixture to expire the certs by moving the system date using

-        date -s command and revert it back

-        """

-        # Do not install NTP as the test plays with the date

-        tasks.install_master(self.master, setup_dns=False,

-                             extra_args=['--no-ntp'])

-        self.master.run_command(['systemctl', 'stop', 'chronyd'])

-        self.master.run_command(['date','-s', '+3Years+1day'])

-        yield

-        tasks.uninstall_master(self.master)

-        self.master.run_command(['date','-s', '-3Years-1day'])

-        self.master.run_command(['systemctl', 'start', 'chronyd'])

-

     def test_missing_csr(self, expire_cert_critical):

         """

         Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg

@@ -82,6 +93,7 @@ class TestIpaCertFix(IntegrationTest):

         - call getcert resubmit in order to create the CSR in certmonger file

         - use ipa-cert-fix, no issue should be seen

         """

+        expire_cert_critical(self.master)

         # pki must be stopped in order to edit CS.cfg

         self.master.run_command(['ipactl', 'stop'])

         self.master.run_command(['sed', '-i', r'/ca\.sslserver\.certreq=/d',

@@ -139,6 +151,8 @@ class TestIpaCertFix(IntegrationTest):

         related: https://pagure.io/freeipa/issue/7885

         """

+        expire_cert_critical(self.master)

+

         # wait for cert expiry

         check_status(self.master, 8, "CA_UNREACHABLE")

-- 

2.29.2

From c84e0547e1a693ba0e9edbfeea7bafdb2fb2b4a2 Mon Sep 17 00:00:00 2001

From: Mohammad Rizwan <myusuf@redhat.com>

Date: Thu, 11 Feb 2021 16:59:53 +0530

Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs with kra

 installed

This test check if ipa-cert-fix renews certs with kra

certificate installed.

related: https://pagure.io/freeipa/issue/7885

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

Reviewed-By: Anuja More <amore@redhat.com>

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

Reviewed-By: Anuja More <amore@redhat.com>

---

 .../test_integration/test_ipa_cert_fix.py     | 25 +++++++++++++++++++

 1 file changed, 25 insertions(+)

diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py

index 591dc5031..b2e92d4dc 100644

--- a/ipatests/test_integration/test_ipa_cert_fix.py

+++ b/ipatests/test_integration/test_ipa_cert_fix.py

@@ -225,3 +225,28 @@ class TestIpaCertFixThirdParty(CALessBase):

         # the DS nickname is used and not a hardcoded value.

         result = self.master.run_command(['ipa-cert-fix', '-v'],)

         assert self.nickname in result.stderr_text

+

+

+class TestCertFixKRA(IntegrationTest):

+    @classmethod

+    def uninstall(cls, mh):

+        # Uninstall method is empty as the uninstallation is done in

+        # the fixture

+        pass

+

+    def test_renew_expired_cert_with_kra(self, expire_cert_critical):

+        """Test if ipa-cert-fix renews expired certs with kra installed

+

+        This test check if ipa-cert-fix renews certs with kra

+        certificate installed.

+

+        related: https://pagure.io/freeipa/issue/7885

+        """

+        expire_cert_critical(self.master, setup_kra=True)

+

+        # check if all subsystem cert expired

+        check_status(self.master, 11, "CA_UNREACHABLE")

+

+        self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')

+

+        check_status(self.master, 12, "MONITORING")

-- 

2.29.2

From 260fbcb03297ef1ed5418b16c0df0587d2989b22 Mon Sep 17 00:00:00 2001

From: Mohammad Rizwan <myusuf@redhat.com>

Date: Tue, 2 Mar 2021 11:42:36 +0530

Subject: [PATCH] ipatests: update nightly definition for ipa_cert_fix suite

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

Reviewed-By: Anuja More <amore@redhat.com>

---

 ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml         | 2 +-

 ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml | 2 +-

 ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml       | 2 +-

 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml

index ebd539246..8a88698eb 100644

--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml

+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml

@@ -1687,5 +1687,5 @@ jobs:

         build_url: '{fedora-latest-ipa-4-9/build_url}'

         test_suite: test_integration/test_ipa_cert_fix.py

         template: *ci-ipa-4-9-latest

-        timeout: 3600

+        timeout: 7200

         topology: *master_1repl

diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml

index d4b597d6e..14f0c4292 100644

--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml

+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml

@@ -1821,5 +1821,5 @@ jobs:

         selinux_enforcing: True

         test_suite: test_integration/test_ipa_cert_fix.py

         template: *ci-ipa-4-9-latest

-        timeout: 3600

+        timeout: 7200

         topology: *master_1repl

diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml

index 1fd589e6a..b7f8d2b3e 100644

--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml

+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml

@@ -1687,5 +1687,5 @@ jobs:

         build_url: '{fedora-previous-ipa-4-9/build_url}'

         test_suite: test_integration/test_ipa_cert_fix.py

         template: *ci-ipa-4-9-previous

-        timeout: 3600

+        timeout: 7200

         topology: *master_1repl

-- 

2.29.2