|
 |
7e1b55 |
From 02c0da3ef74948579106aab4b669f6e64dd60b24 Mon Sep 17 00:00:00 2001
|
|
|
7e1b55 |
From: Mohammad Rizwan <myusuf@redhat.com>
|
|
|
7e1b55 |
Date: Thu, 24 Jun 2021 13:10:00 +0530
|
|
|
7e1b55 |
Subject: [PATCH] ipatests: Test ipa-cert-fix warns when startup directive is
|
|
|
7e1b55 |
missing from CS.cfg
|
|
|
7e1b55 |
|
|
|
7e1b55 |
Earlier it used to fail when startup directive missing from CS.cfg.
|
|
|
7e1b55 |
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
|
|
|
7e1b55 |
a warning than failing.
|
|
|
7e1b55 |
|
|
|
7e1b55 |
related: https://pagure.io/freeipa/issue/8890
|
|
|
7e1b55 |
|
|
|
7e1b55 |
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
|
|
7e1b55 |
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
7e1b55 |
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
7e1b55 |
---
|
|
|
7e1b55 |
.../test_integration/test_ipa_cert_fix.py | 92 ++++++++++++++++++-
|
|
|
7e1b55 |
1 file changed, 90 insertions(+), 2 deletions(-)
|
|
|
7e1b55 |
|
|
|
7e1b55 |
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
|
7e1b55 |
index b2e92d4dc..394e85603 100644
|
|
|
7e1b55 |
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
|
|
7e1b55 |
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
|
7e1b55 |
@@ -48,6 +48,16 @@ def check_status(host, cert_count, state, timeout=600):
|
|
|
7e1b55 |
return count
|
|
|
7e1b55 |
|
|
|
7e1b55 |
|
|
|
7e1b55 |
+def move_date(host, chrony_state, date_str):
|
|
|
7e1b55 |
+ """Helper method to move the date on given host
|
|
|
7e1b55 |
+ :param host: The host on which date is to be moved
|
|
|
7e1b55 |
+ :param chrony_state: State to which chrony service to be moved
|
|
|
7e1b55 |
+ :param date_str: date string to move the date i.e 2years1month1days
|
|
|
7e1b55 |
+ """
|
|
|
7e1b55 |
+ host.run_command(['systemctl', chrony_state, 'chronyd'])
|
|
|
7e1b55 |
+ host.run_command(['date', '-s', date_str])
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
@pytest.fixture
|
|
|
7e1b55 |
def expire_cert_critical():
|
|
|
7e1b55 |
"""
|
|
|
7e1b55 |
@@ -82,6 +92,17 @@ class TestIpaCertFix(IntegrationTest):
|
|
|
7e1b55 |
# the fixture
|
|
|
7e1b55 |
pass
|
|
|
7e1b55 |
|
|
|
7e1b55 |
+ @pytest.fixture
|
|
|
7e1b55 |
+ def expire_ca_cert(self):
|
|
|
7e1b55 |
+ tasks.install_master(self.master, setup_dns=False,
|
|
|
7e1b55 |
+ extra_args=['--no-ntp'])
|
|
|
7e1b55 |
+ move_date(self.master, 'stop', '+20Years+1day')
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ yield
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ tasks.uninstall_master(self.master)
|
|
|
7e1b55 |
+ move_date(self.master, 'start', '-20Years-1day')
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
def test_missing_csr(self, expire_cert_critical):
|
|
|
7e1b55 |
"""
|
|
|
7e1b55 |
Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
|
|
|
7e1b55 |
@@ -122,7 +143,8 @@ class TestIpaCertFix(IntegrationTest):
|
|
|
7e1b55 |
|
|
|
7e1b55 |
# Because of BZ 1897120, pki-cert-fix fails on pki-core 10.10.0
|
|
|
7e1b55 |
# https://bugzilla.redhat.com/show_bug.cgi?id=1897120
|
|
|
7e1b55 |
- if tasks.get_pki_version(self.master) != tasks.parse_version('10.10.0'):
|
|
|
7e1b55 |
+ if (tasks.get_pki_version(self.master)
|
|
|
7e1b55 |
+ != tasks.parse_version('10.10.0')):
|
|
|
7e1b55 |
assert result.returncode == 0
|
|
|
7e1b55 |
|
|
|
7e1b55 |
# get the number of certs track by certmonger
|
|
|
7e1b55 |
@@ -180,6 +202,72 @@ class TestIpaCertFix(IntegrationTest):
|
|
|
7e1b55 |
raiseonerr=False)
|
|
|
7e1b55 |
assert result.returncode == 2
|
|
|
7e1b55 |
|
|
|
7e1b55 |
+ def test_missing_startup(self, expire_cert_critical):
|
|
|
7e1b55 |
+ """
|
|
|
7e1b55 |
+ Test ipa-cert-fix fails/warns when startup directive is missing
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ This test checks that if 'selftests.container.order.startup' directive
|
|
|
7e1b55 |
+ is missing from CS.cfg, ipa-cert-fix fails and throw proper error
|
|
|
7e1b55 |
+ message. It also checks that underlying command 'pki-server cert-fix'
|
|
|
7e1b55 |
+ should fail to renew the cert.
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ related: https://pagure.io/freeipa/issue/8721
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ With https://github.com/dogtagpki/pki/pull/3466, it changed to display
|
|
|
7e1b55 |
+ a warning than failing.
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ This test also checks that if 'selftests.container.order.startup'
|
|
|
7e1b55 |
+ directive is missing from CS.cfg, ipa-cert-fix dsplay proper warning
|
|
|
7e1b55 |
+ (depending on pki version)
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ related: https://pagure.io/freeipa/issue/8890
|
|
|
7e1b55 |
+ """
|
|
|
7e1b55 |
+ expire_cert_critical(self.master)
|
|
|
7e1b55 |
+ # pki must be stopped in order to edit CS.cfg
|
|
|
7e1b55 |
+ self.master.run_command(['ipactl', 'stop'])
|
|
|
7e1b55 |
+ self.master.run_command([
|
|
|
7e1b55 |
+ 'sed', '-i', r'/selftests\.container\.order\.startup/d',
|
|
|
7e1b55 |
+ paths.CA_CS_CFG_PATH
|
|
|
7e1b55 |
+ ])
|
|
|
7e1b55 |
+ # dirsrv needs to be up in order to run ipa-cert-fix
|
|
|
7e1b55 |
+ self.master.run_command(['ipactl', 'start',
|
|
|
7e1b55 |
+ '--ignore-service-failures'])
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ result = self.master.run_command(['ipa-cert-fix', '-v'],
|
|
|
7e1b55 |
+ stdin_text='yes\n',
|
|
|
7e1b55 |
+ raiseonerr=False)
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ err_msg1 = "ERROR: 'selftests.container.order.startup'"
|
|
|
7e1b55 |
+ # check that pki-server cert-fix command fails
|
|
|
7e1b55 |
+ err_msg2 = ("ERROR: CalledProcessError(Command "
|
|
|
7e1b55 |
+ "['pki-server', 'cert-fix'")
|
|
|
7e1b55 |
+ warn_msg = ("WARNING: No selftests configured in "
|
|
|
7e1b55 |
+ f"{paths.CA_CS_CFG_PATH} "
|
|
|
7e1b55 |
+ "(selftests.container.order.startup)")
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ if (tasks.get_pki_version(self.master)
|
|
|
7e1b55 |
+ < tasks.parse_version('10.11.0')):
|
|
|
7e1b55 |
+ assert (err_msg1 in result.stderr_text
|
|
|
7e1b55 |
+ and err_msg2 in result.stderr_text)
|
|
|
7e1b55 |
+ else:
|
|
|
7e1b55 |
+ assert warn_msg in result.stdout_text
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ def test_expired_CA_cert(self, expire_ca_cert):
|
|
|
7e1b55 |
+ """Test to check ipa-cert-fix when CA certificate is expired
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ In order to fix expired certs using ipa-cert-fix, CA cert should be
|
|
|
7e1b55 |
+ valid. If CA cert expired, ipa-cert-fix won't work.
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ related: https://pagure.io/freeipa/issue/8721
|
|
|
7e1b55 |
+ """
|
|
|
7e1b55 |
+ result = self.master.run_command(['ipa-cert-fix', '-v'],
|
|
|
7e1b55 |
+ stdin_text='yes\n',
|
|
|
7e1b55 |
+ raiseonerr=False)
|
|
|
7e1b55 |
+ # check that pki-server cert-fix command fails
|
|
|
7e1b55 |
+ err_msg = ("ERROR: CalledProcessError(Command "
|
|
|
7e1b55 |
+ "['pki-server', 'cert-fix'")
|
|
|
7e1b55 |
+ assert err_msg in result.stderr_text
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
|
|
|
7e1b55 |
class TestIpaCertFixThirdParty(CALessBase):
|
|
|
7e1b55 |
"""
|
|
|
7e1b55 |
@@ -219,7 +307,7 @@ class TestIpaCertFixThirdParty(CALessBase):
|
|
|
7e1b55 |
'--pin', self.master.config.admin_password,
|
|
|
7e1b55 |
'-d', 'server.p12']
|
|
|
7e1b55 |
self.master.run_command(args)
|
|
|
7e1b55 |
- self.master.run_command(['ipactl', 'restart',])
|
|
|
7e1b55 |
+ self.master.run_command(['ipactl', 'restart'])
|
|
|
7e1b55 |
|
|
|
7e1b55 |
# Run ipa-cert-fix. This is basically a no-op but tests that
|
|
|
7e1b55 |
# the DS nickname is used and not a hardcoded value.
|
|
|
7e1b55 |
--
|
|
|
7e1b55 |
2.31.1
|
|
|
7e1b55 |
|