rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   4f201697f145608e66f758994495b290bf47e8a2
  2.   SOURCES
  3.   0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch
Blob History Raw
7e1b55 
From e0aef5296b66c0b460f7e10993610fe68b312241 Mon Sep 17 00:00:00 2001
7e1b55 
From: Mohammad Rizwan <myusuf@redhat.com>
7e1b55 
Date: Mon, 19 Apr 2021 12:08:28 +0530
7e1b55 
Subject: [PATCH] ipatests: test to renew certs on replica using ipa-cert-fix
7e1b55
7e1b55 
This test checks if ipa-cert-fix renews the certs on replica
7e1b55 
after cert renewal on master.
7e1b55
7e1b55 
related: https://pagure.io/freeipa/issue/7885
7e1b55
7e1b55 
ipatests: refactor expire_cert_critical fixture
7e1b55
7e1b55 
Defined method to move the date and refactor
7e1b55 
expire_cert_critical fixture using it
7e1b55
7e1b55 
ipatests: PEP8 fixes
7e1b55
7e1b55 
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
7e1b55 
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
7e1b55 
---
7e1b55 
 .../test_integration/test_ipa_cert_fix.py     | 74 ++++++++++++++++++-
7e1b55 
 1 file changed, 70 insertions(+), 4 deletions(-)
7e1b55
7e1b55 
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
7e1b55 
index f3cf59afc..a20996737 100644
7e1b55 
--- a/ipatests/test_integration/test_ipa_cert_fix.py
7e1b55 
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
7e1b55 
@@ -6,6 +6,7 @@
7e1b55 
 Module provides tests for ipa-cert-fix CLI.
7e1b55 
 """
7e1b55 
 import pytest
7e1b55 
+import re
7e1b55 
 import time
7e1b55
7e1b55 
 import logging
7e1b55 
@@ -74,15 +75,15 @@ def expire_cert_critical():
7e1b55 
                              extra_args=['--no-ntp'])
7e1b55 
         if setup_kra:
7e1b55 
             tasks.install_kra(host)
7e1b55 
-        host.run_command(['systemctl', 'stop', 'chronyd'])
7e1b55 
-        host.run_command(['date', '-s', '+3Years+1day'])
7e1b55 
+
7e1b55 
+        # move date to expire certs
7e1b55 
+        move_date(host, 'stop', '+3Years+1day')
7e1b55
7e1b55 
     yield _expire_cert_critical
7e1b55
7e1b55 
     host = hosts.pop('host')
7e1b55 
     tasks.uninstall_master(host)
7e1b55 
-    host.run_command(['date', '-s', '-3Years-1day'])
7e1b55 
-    host.run_command(['systemctl', 'start', 'chronyd'])
7e1b55 
+    move_date(host, 'start', '-3Years-1day')
7e1b55
7e1b55
7e1b55 
 class TestIpaCertFix(IntegrationTest):
7e1b55 
@@ -336,3 +337,68 @@ class TestCertFixKRA(IntegrationTest):
7e1b55 
         self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
7e1b55
7e1b55 
         check_status(self.master, 12, "MONITORING")
7e1b55 
+
7e1b55 
+
7e1b55 
+class TestCertFixReplica(IntegrationTest):
7e1b55 
+
7e1b55 
+    num_replicas = 1
7e1b55 
+
7e1b55 
+    @classmethod
7e1b55 
+    def install(cls, mh):
7e1b55 
+        tasks.install_master(
7e1b55 
+            mh.master, setup_dns=False, extra_args=['--no-ntp']
7e1b55 
+        )
7e1b55 
+        tasks.install_replica(
7e1b55 
+            mh.master, mh.replicas[0],
7e1b55 
+            setup_dns=False, extra_args=['--no-ntp']
7e1b55 
+        )
7e1b55 
+
7e1b55 
+    def test_renew_expired_cert_replica(self):
7e1b55 
+        """Test renewal of certificates on replica with ipa-cert-fix
7e1b55 
+
7e1b55 
+        This is to check that ipa-cert-fix renews the certificates
7e1b55 
+        on replica
7e1b55 
+
7e1b55 
+        related: https://pagure.io/freeipa/issue/7885
7e1b55 
+        """
7e1b55 
+        move_date(self.master, 'stop', '+3years+1days')
7e1b55 
+
7e1b55 
+        # wait for cert expiry
7e1b55 
+        check_status(self.master, 8, "CA_UNREACHABLE")
7e1b55 
+
7e1b55 
+        self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
7e1b55 
+
7e1b55 
+        check_status(self.master, 9, "MONITORING")
7e1b55 
+
7e1b55 
+        # move system date to expire cert on replica
7e1b55 
+        move_date(self.replicas[0], 'stop', '+3years+1days')
7e1b55 
+
7e1b55 
+        # RA agent cert will be expired and in CA_UNREACHABLE state
7e1b55 
+        check_status(self.replicas[0], 1, "CA_UNREACHABLE")
7e1b55 
+
7e1b55 
+        # renew RA agent cert
7e1b55 
+        self.replicas[0].run_command(
7e1b55 
+            ['ipa-cert-fix', '-v'], stdin_text='yes\n'
7e1b55 
+        )
7e1b55 
+
7e1b55 
+        # LDAP/HTTP/PKINIT certs will be renewed automaticaly
7e1b55 
+        # after moving date on replica. This 3, 1 CA cert,
7e1b55 
+        # 1 RA agent cert. Check for total 5 valid certs.
7e1b55 
+        check_status(self.replicas[0], 5, "MONITORING")
7e1b55 
+
7e1b55 
+        # get the req ids of all certs to renew remaining
7e1b55 
+        # certs by re-submitting it
7e1b55 
+        result = self.replicas[0].run_command(['getcert', 'list'])
7e1b55 
+        req_ids = re.findall(r'\d{14}', result.stdout_text)
7e1b55 
+
7e1b55 
+        # resubmit the certs to renew them
7e1b55 
+        for req_id in req_ids:
7e1b55 
+            self.replicas[0].run_command(
7e1b55 
+                ['getcert', 'resubmit', '-i', req_id]
7e1b55 
+            )
7e1b55 
+
7e1b55 
+        check_status(self.master, 9, "MONITORING")
7e1b55 
+
7e1b55 
+        # move date back on replica and master
7e1b55 
+        move_date(self.replicas[0], 'start', '-3years-1days')
7e1b55 
+        move_date(self.master, 'start', '-3years-1days')
7e1b55 
--
7e1b55 
2.31.1
7e1b55

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation