|
 |
7e1b55 |
From 701adb9185c77194ba1ad0c5fd2f13484417ef6f Mon Sep 17 00:00:00 2001
|
|
|
7e1b55 |
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
|
7e1b55 |
Date: Tue, 20 Jul 2021 20:22:23 +0200
|
|
|
7e1b55 |
Subject: [PATCH] test_acme: make password renewal more robust
|
|
|
7e1b55 |
MIME-Version: 1.0
|
|
|
7e1b55 |
Content-Type: text/plain; charset=UTF-8
|
|
|
7e1b55 |
Content-Transfer-Encoding: 8bit
|
|
|
7e1b55 |
|
|
|
7e1b55 |
A kinit immediately following a password change can fail.
|
|
|
7e1b55 |
Setting KRB5_TRACE and retrieving kdcinfo will help to understand
|
|
|
7e1b55 |
the cause of failure.
|
|
|
7e1b55 |
|
|
|
7e1b55 |
Fixes: https://pagure.io/freeipa/issue/8929
|
|
|
7e1b55 |
Signed-off-by: François Cami <fcami@redhat.com>
|
|
|
7e1b55 |
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
|
|
7e1b55 |
---
|
|
|
7e1b55 |
ipatests/test_integration/test_acme.py | 28 +++++++++++++-------------
|
|
|
7e1b55 |
1 file changed, 14 insertions(+), 14 deletions(-)
|
|
|
7e1b55 |
|
|
|
7e1b55 |
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
|
|
|
7e1b55 |
index b4aa1b351..10195a95f 100644
|
|
|
7e1b55 |
--- a/ipatests/test_integration/test_acme.py
|
|
|
7e1b55 |
+++ b/ipatests/test_integration/test_acme.py
|
|
|
7e1b55 |
@@ -576,25 +576,25 @@ class TestACMERenew(IntegrationTest):
|
|
|
7e1b55 |
# request a standalone acme cert
|
|
|
7e1b55 |
certbot_standalone_cert(self.clients[0], self.acme_server)
|
|
|
7e1b55 |
|
|
|
7e1b55 |
- cmd_input = (
|
|
|
7e1b55 |
- # Password for admin@{REALM}:
|
|
|
7e1b55 |
- "{pwd}\n"
|
|
|
7e1b55 |
- # Password expired. You must change it now.
|
|
|
7e1b55 |
- # Enter new password:
|
|
|
7e1b55 |
- "{pwd}\n"
|
|
|
7e1b55 |
- # Enter it again:
|
|
|
7e1b55 |
- "{pwd}\n"
|
|
|
7e1b55 |
- )
|
|
|
7e1b55 |
# move system date to expire acme cert
|
|
|
7e1b55 |
for host in self.clients[0], self.master:
|
|
|
7e1b55 |
tasks.kdestroy_all(host)
|
|
|
7e1b55 |
tasks.move_date(host, 'stop', '+90days')
|
|
|
7e1b55 |
- self.clients[0].run_command(
|
|
|
7e1b55 |
- ['kinit', 'admin'],
|
|
|
7e1b55 |
- stdin_text=cmd_input.format(
|
|
|
7e1b55 |
- pwd=self.clients[0].config.admin_password
|
|
|
7e1b55 |
- )
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ tasks.get_kdcinfo(host)
|
|
|
7e1b55 |
+ # Note raiseonerr=False:
|
|
|
7e1b55 |
+ # the assert is located after kdcinfo retrieval.
|
|
|
7e1b55 |
+ result = host.run_command(
|
|
|
7e1b55 |
+ "KRB5_TRACE=/dev/stdout kinit %s" % 'admin',
|
|
|
7e1b55 |
+ stdin_text='{0}\n{0}\n{0}\n'.format(
|
|
|
7e1b55 |
+ self.clients[0].config.admin_password
|
|
|
7e1b55 |
+ ),
|
|
|
7e1b55 |
+ raiseonerr=False
|
|
|
7e1b55 |
)
|
|
|
7e1b55 |
+ # Retrieve kdc.$REALM after the password change, just in case SSSD
|
|
|
7e1b55 |
+ # domain status flipped to online during the password change.
|
|
|
7e1b55 |
+ tasks.get_kdcinfo(host)
|
|
|
7e1b55 |
+ assert result.returncode == 0
|
|
|
7e1b55 |
|
|
|
7e1b55 |
yield
|
|
|
7e1b55 |
|
|
|
7e1b55 |
--
|
|
|
7e1b55 |
2.31.1
|
|
|
7e1b55 |
|