|
|
7e1b55 |
From e0aef5296b66c0b460f7e10993610fe68b312241 Mon Sep 17 00:00:00 2001
|
|
|
7e1b55 |
From: Mohammad Rizwan <myusuf@redhat.com>
|
|
|
7e1b55 |
Date: Mon, 19 Apr 2021 12:08:28 +0530
|
|
|
7e1b55 |
Subject: [PATCH] ipatests: test to renew certs on replica using ipa-cert-fix
|
|
|
7e1b55 |
|
|
|
7e1b55 |
This test checks if ipa-cert-fix renews the certs on replica
|
|
|
7e1b55 |
after cert renewal on master.
|
|
|
7e1b55 |
|
|
|
7e1b55 |
related: https://pagure.io/freeipa/issue/7885
|
|
|
7e1b55 |
|
|
|
7e1b55 |
ipatests: refactor expire_cert_critical fixture
|
|
|
7e1b55 |
|
|
|
7e1b55 |
Defined method to move the date and refactor
|
|
|
7e1b55 |
expire_cert_critical fixture using it
|
|
|
7e1b55 |
|
|
|
7e1b55 |
ipatests: PEP8 fixes
|
|
|
7e1b55 |
|
|
|
7e1b55 |
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
|
|
7e1b55 |
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
7e1b55 |
---
|
|
|
7e1b55 |
.../test_integration/test_ipa_cert_fix.py | 74 ++++++++++++++++++-
|
|
|
7e1b55 |
1 file changed, 70 insertions(+), 4 deletions(-)
|
|
|
7e1b55 |
|
|
|
7e1b55 |
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
|
7e1b55 |
index f3cf59afc..a20996737 100644
|
|
|
7e1b55 |
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
|
|
7e1b55 |
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
|
7e1b55 |
@@ -6,6 +6,7 @@
|
|
|
7e1b55 |
Module provides tests for ipa-cert-fix CLI.
|
|
|
7e1b55 |
"""
|
|
|
7e1b55 |
import pytest
|
|
|
7e1b55 |
+import re
|
|
|
7e1b55 |
import time
|
|
|
7e1b55 |
|
|
|
7e1b55 |
import logging
|
|
|
7e1b55 |
@@ -74,15 +75,15 @@ def expire_cert_critical():
|
|
|
7e1b55 |
extra_args=['--no-ntp'])
|
|
|
7e1b55 |
if setup_kra:
|
|
|
7e1b55 |
tasks.install_kra(host)
|
|
|
7e1b55 |
- host.run_command(['systemctl', 'stop', 'chronyd'])
|
|
|
7e1b55 |
- host.run_command(['date', '-s', '+3Years+1day'])
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ # move date to expire certs
|
|
|
7e1b55 |
+ move_date(host, 'stop', '+3Years+1day')
|
|
|
7e1b55 |
|
|
|
7e1b55 |
yield _expire_cert_critical
|
|
|
7e1b55 |
|
|
|
7e1b55 |
host = hosts.pop('host')
|
|
|
7e1b55 |
tasks.uninstall_master(host)
|
|
|
7e1b55 |
- host.run_command(['date', '-s', '-3Years-1day'])
|
|
|
7e1b55 |
- host.run_command(['systemctl', 'start', 'chronyd'])
|
|
|
7e1b55 |
+ move_date(host, 'start', '-3Years-1day')
|
|
|
7e1b55 |
|
|
|
7e1b55 |
|
|
|
7e1b55 |
class TestIpaCertFix(IntegrationTest):
|
|
|
7e1b55 |
@@ -336,3 +337,68 @@ class TestCertFixKRA(IntegrationTest):
|
|
|
7e1b55 |
self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
|
|
|
7e1b55 |
|
|
|
7e1b55 |
check_status(self.master, 12, "MONITORING")
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+class TestCertFixReplica(IntegrationTest):
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ num_replicas = 1
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ @classmethod
|
|
|
7e1b55 |
+ def install(cls, mh):
|
|
|
7e1b55 |
+ tasks.install_master(
|
|
|
7e1b55 |
+ mh.master, setup_dns=False, extra_args=['--no-ntp']
|
|
|
7e1b55 |
+ )
|
|
|
7e1b55 |
+ tasks.install_replica(
|
|
|
7e1b55 |
+ mh.master, mh.replicas[0],
|
|
|
7e1b55 |
+ setup_dns=False, extra_args=['--no-ntp']
|
|
|
7e1b55 |
+ )
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ def test_renew_expired_cert_replica(self):
|
|
|
7e1b55 |
+ """Test renewal of certificates on replica with ipa-cert-fix
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ This is to check that ipa-cert-fix renews the certificates
|
|
|
7e1b55 |
+ on replica
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ related: https://pagure.io/freeipa/issue/7885
|
|
|
7e1b55 |
+ """
|
|
|
7e1b55 |
+ move_date(self.master, 'stop', '+3years+1days')
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ # wait for cert expiry
|
|
|
7e1b55 |
+ check_status(self.master, 8, "CA_UNREACHABLE")
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ check_status(self.master, 9, "MONITORING")
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ # move system date to expire cert on replica
|
|
|
7e1b55 |
+ move_date(self.replicas[0], 'stop', '+3years+1days')
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ # RA agent cert will be expired and in CA_UNREACHABLE state
|
|
|
7e1b55 |
+ check_status(self.replicas[0], 1, "CA_UNREACHABLE")
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ # renew RA agent cert
|
|
|
7e1b55 |
+ self.replicas[0].run_command(
|
|
|
7e1b55 |
+ ['ipa-cert-fix', '-v'], stdin_text='yes\n'
|
|
|
7e1b55 |
+ )
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ # LDAP/HTTP/PKINIT certs will be renewed automaticaly
|
|
|
7e1b55 |
+ # after moving date on replica. This 3, 1 CA cert,
|
|
|
7e1b55 |
+ # 1 RA agent cert. Check for total 5 valid certs.
|
|
|
7e1b55 |
+ check_status(self.replicas[0], 5, "MONITORING")
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ # get the req ids of all certs to renew remaining
|
|
|
7e1b55 |
+ # certs by re-submitting it
|
|
|
7e1b55 |
+ result = self.replicas[0].run_command(['getcert', 'list'])
|
|
|
7e1b55 |
+ req_ids = re.findall(r'\d{14}', result.stdout_text)
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ # resubmit the certs to renew them
|
|
|
7e1b55 |
+ for req_id in req_ids:
|
|
|
7e1b55 |
+ self.replicas[0].run_command(
|
|
|
7e1b55 |
+ ['getcert', 'resubmit', '-i', req_id]
|
|
|
7e1b55 |
+ )
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ check_status(self.master, 9, "MONITORING")
|
|
|
7e1b55 |
+
|
|
|
7e1b55 |
+ # move date back on replica and master
|
|
|
7e1b55 |
+ move_date(self.replicas[0], 'start', '-3years-1days')
|
|
|
7e1b55 |
+ move_date(self.master, 'start', '-3years-1days')
|
|
|
7e1b55 |
--
|
|
|
7e1b55 |
2.31.1
|
|
|
7e1b55 |
|