7e1b55
From 02c0da3ef74948579106aab4b669f6e64dd60b24 Mon Sep 17 00:00:00 2001
7e1b55
From: Mohammad Rizwan <myusuf@redhat.com>
7e1b55
Date: Thu, 24 Jun 2021 13:10:00 +0530
7e1b55
Subject: [PATCH] ipatests: Test ipa-cert-fix warns when startup directive is
7e1b55
 missing from CS.cfg
7e1b55
7e1b55
Earlier it used to fail when startup directive missing from CS.cfg.
7e1b55
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
7e1b55
a warning than failing.
7e1b55
7e1b55
related: https://pagure.io/freeipa/issue/8890
7e1b55
7e1b55
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
7e1b55
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
7e1b55
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
7e1b55
---
7e1b55
 .../test_integration/test_ipa_cert_fix.py     | 92 ++++++++++++++++++-
7e1b55
 1 file changed, 90 insertions(+), 2 deletions(-)
7e1b55
7e1b55
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
7e1b55
index b2e92d4dc..394e85603 100644
7e1b55
--- a/ipatests/test_integration/test_ipa_cert_fix.py
7e1b55
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
7e1b55
@@ -48,6 +48,16 @@ def check_status(host, cert_count, state, timeout=600):
7e1b55
     return count
7e1b55
 
7e1b55
 
7e1b55
+def move_date(host, chrony_state, date_str):
7e1b55
+    """Helper method to move the date on given host
7e1b55
+    :param host: The host on which date is to be moved
7e1b55
+    :param chrony_state: State to which chrony service to be moved
7e1b55
+    :param date_str: date string to move the date i.e 2years1month1days
7e1b55
+    """
7e1b55
+    host.run_command(['systemctl', chrony_state, 'chronyd'])
7e1b55
+    host.run_command(['date', '-s', date_str])
7e1b55
+
7e1b55
+
7e1b55
 @pytest.fixture
7e1b55
 def expire_cert_critical():
7e1b55
     """
7e1b55
@@ -82,6 +92,17 @@ class TestIpaCertFix(IntegrationTest):
7e1b55
         # the fixture
7e1b55
         pass
7e1b55
 
7e1b55
+    @pytest.fixture
7e1b55
+    def expire_ca_cert(self):
7e1b55
+        tasks.install_master(self.master, setup_dns=False,
7e1b55
+                             extra_args=['--no-ntp'])
7e1b55
+        move_date(self.master, 'stop', '+20Years+1day')
7e1b55
+
7e1b55
+        yield
7e1b55
+
7e1b55
+        tasks.uninstall_master(self.master)
7e1b55
+        move_date(self.master, 'start', '-20Years-1day')
7e1b55
+
7e1b55
     def test_missing_csr(self, expire_cert_critical):
7e1b55
         """
7e1b55
         Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
7e1b55
@@ -122,7 +143,8 @@ class TestIpaCertFix(IntegrationTest):
7e1b55
 
7e1b55
         # Because of BZ 1897120, pki-cert-fix fails on pki-core 10.10.0
7e1b55
         # https://bugzilla.redhat.com/show_bug.cgi?id=1897120
7e1b55
-        if tasks.get_pki_version(self.master) != tasks.parse_version('10.10.0'):
7e1b55
+        if (tasks.get_pki_version(self.master)
7e1b55
+           != tasks.parse_version('10.10.0')):
7e1b55
             assert result.returncode == 0
7e1b55
 
7e1b55
             # get the number of certs track by certmonger
7e1b55
@@ -180,6 +202,72 @@ class TestIpaCertFix(IntegrationTest):
7e1b55
                                          raiseonerr=False)
7e1b55
         assert result.returncode == 2
7e1b55
 
7e1b55
+    def test_missing_startup(self, expire_cert_critical):
7e1b55
+        """
7e1b55
+        Test ipa-cert-fix fails/warns when startup directive is missing
7e1b55
+
7e1b55
+        This test checks that if 'selftests.container.order.startup' directive
7e1b55
+        is missing from CS.cfg, ipa-cert-fix fails and throw proper error
7e1b55
+        message. It also checks that underlying command 'pki-server cert-fix'
7e1b55
+        should fail to renew the cert.
7e1b55
+
7e1b55
+        related: https://pagure.io/freeipa/issue/8721
7e1b55
+
7e1b55
+        With https://github.com/dogtagpki/pki/pull/3466, it changed to display
7e1b55
+        a warning than failing.
7e1b55
+
7e1b55
+        This test also checks that if 'selftests.container.order.startup'
7e1b55
+        directive is missing from CS.cfg, ipa-cert-fix dsplay proper warning
7e1b55
+        (depending on pki version)
7e1b55
+
7e1b55
+        related: https://pagure.io/freeipa/issue/8890
7e1b55
+        """
7e1b55
+        expire_cert_critical(self.master)
7e1b55
+        # pki must be stopped in order to edit CS.cfg
7e1b55
+        self.master.run_command(['ipactl', 'stop'])
7e1b55
+        self.master.run_command([
7e1b55
+            'sed', '-i', r'/selftests\.container\.order\.startup/d',
7e1b55
+            paths.CA_CS_CFG_PATH
7e1b55
+        ])
7e1b55
+        # dirsrv needs to be up in order to run ipa-cert-fix
7e1b55
+        self.master.run_command(['ipactl', 'start',
7e1b55
+                                 '--ignore-service-failures'])
7e1b55
+
7e1b55
+        result = self.master.run_command(['ipa-cert-fix', '-v'],
7e1b55
+                                         stdin_text='yes\n',
7e1b55
+                                         raiseonerr=False)
7e1b55
+
7e1b55
+        err_msg1 = "ERROR: 'selftests.container.order.startup'"
7e1b55
+        # check that pki-server cert-fix command fails
7e1b55
+        err_msg2 = ("ERROR: CalledProcessError(Command "
7e1b55
+                    "['pki-server', 'cert-fix'")
7e1b55
+        warn_msg = ("WARNING: No selftests configured in "
7e1b55
+                    f"{paths.CA_CS_CFG_PATH} "
7e1b55
+                    "(selftests.container.order.startup)")
7e1b55
+
7e1b55
+        if (tasks.get_pki_version(self.master)
7e1b55
+           < tasks.parse_version('10.11.0')):
7e1b55
+            assert (err_msg1 in result.stderr_text
7e1b55
+                    and err_msg2 in result.stderr_text)
7e1b55
+        else:
7e1b55
+            assert warn_msg in result.stdout_text
7e1b55
+
7e1b55
+    def test_expired_CA_cert(self, expire_ca_cert):
7e1b55
+        """Test to check ipa-cert-fix when CA certificate is expired
7e1b55
+
7e1b55
+        In order to fix expired certs using ipa-cert-fix, CA cert should be
7e1b55
+        valid. If CA cert expired, ipa-cert-fix won't work.
7e1b55
+
7e1b55
+        related: https://pagure.io/freeipa/issue/8721
7e1b55
+        """
7e1b55
+        result = self.master.run_command(['ipa-cert-fix', '-v'],
7e1b55
+                                         stdin_text='yes\n',
7e1b55
+                                         raiseonerr=False)
7e1b55
+        # check that pki-server cert-fix command fails
7e1b55
+        err_msg = ("ERROR: CalledProcessError(Command "
7e1b55
+                   "['pki-server', 'cert-fix'")
7e1b55
+        assert err_msg in result.stderr_text
7e1b55
+
7e1b55
 
7e1b55
 class TestIpaCertFixThirdParty(CALessBase):
7e1b55
     """
7e1b55
@@ -219,7 +307,7 @@ class TestIpaCertFixThirdParty(CALessBase):
7e1b55
                 '--pin', self.master.config.admin_password,
7e1b55
                 '-d', 'server.p12']
7e1b55
         self.master.run_command(args)
7e1b55
-        self.master.run_command(['ipactl', 'restart',])
7e1b55
+        self.master.run_command(['ipactl', 'restart'])
7e1b55
 
7e1b55
         # Run ipa-cert-fix. This is basically a no-op but tests that
7e1b55
         # the DS nickname is used and not a hardcoded value.
7e1b55
-- 
7e1b55
2.31.1
7e1b55