From a620e5e9e152defe144705913521c3cf556faa0e Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Mon, 26 Apr 2021 15:50:20 +0530
Subject: [PATCH] ipatests: wait while http/ldap/pkinit cert get renew on
replica
LDAP/HTTP/PKINIT certificates should be renewd on replica after
moving system date. Test was failing because ipa-cert-fix ran
while these cert was not renewd and it tried to fix it.
This test adds check for replication before calling ipa-cert-fix
on replica.
Fixes: https://pagure.io/freeipa/issue/8815
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 172 +++++++++++++++---
1 file changed, 144 insertions(+), 28 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index a20996737..fa69743e2 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -5,16 +5,19 @@
"""
Module provides tests for ipa-cert-fix CLI.
"""
+from cryptography.hazmat.backends import default_backend
+from cryptography import x509
+from datetime import datetime, date
import pytest
-import re
import time
import logging
from ipaplatform.paths import paths
+from ipapython.ipaldap import realm_to_serverid
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
-
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
logger = logging.getLogger(__name__)
@@ -59,6 +62,49 @@ def move_date(host, chrony_state, date_str):
host.run_command(['date', '-s', date_str])
+def needs_resubmit(host, req_id):
+ """Helper method to identify if cert request needs to be resubmitted
+ :param host: the host
+ :param req_id: request id to perform operation for
+
+ Returns True if resubmit needed else False
+ """
+ # check if cert is in monitoring state
+ tasks.wait_for_certmonger_status(
+ host, ('MONITORING'), req_id, timeout=600
+ )
+
+ # check if cert is valid and not expired
+ cmd = host.run_command(
+ 'getcert list -i {} | grep expires'.format(req_id)
+ )
+ cert_expiry = cmd.stdout_text.split(' ')
+ cert_expiry = datetime.strptime(cert_expiry[1], '%Y-%m-%d').date()
+ if cert_expiry > date.today():
+ return False
+ else:
+ return True
+
+
+def get_cert_expiry(host, nssdb_path, cert_nick):
+ """Method to get cert expiry date of given certificate
+
+ :param host: the host
+ :param nssdb_path: nssdb path of certificate
+ :param cert_nick: certificate nick name for extracting cert from nssdb
+ """
+ # get initial expiry date to compare later with renewed cert
+ host.run_command([
+ 'certutil', '-L', '-a',
+ '-d', nssdb_path,
+ '-n', cert_nick,
+ '-o', '/root/cert.pem'
+ ])
+ data = host.get_file_contents('/root/cert.pem')
+ cert = x509.load_pem_x509_certificate(data, backend=default_backend())
+ return cert.not_valid_after
+
+
@pytest.fixture
def expire_cert_critical():
"""
@@ -353,7 +399,19 @@ class TestCertFixReplica(IntegrationTest):
setup_dns=False, extra_args=['--no-ntp']
)
- def test_renew_expired_cert_replica(self):
+ @pytest.fixture
+ def expire_certs(self):
+ # move system date to expire certs
+ for host in self.master, self.replicas[0]:
+ tasks.move_date(host, 'stop', '+3years+1days')
+
+ yield
+
+ # move date back on replica and master
+ for host in self.master, self.replicas[0]:
+ tasks.move_date(host, 'start', '-3years-1days')
+
+ def test_renew_expired_cert_replica(self, expire_certs):
"""Test renewal of certificates on replica with ipa-cert-fix
This is to check that ipa-cert-fix renews the certificates
@@ -361,8 +419,6 @@ class TestCertFixReplica(IntegrationTest):
related: https://pagure.io/freeipa/issue/7885
"""
- move_date(self.master, 'stop', '+3years+1days')
-
# wait for cert expiry
check_status(self.master, 8, "CA_UNREACHABLE")
@@ -370,35 +426,95 @@ class TestCertFixReplica(IntegrationTest):
check_status(self.master, 9, "MONITORING")
- # move system date to expire cert on replica
- move_date(self.replicas[0], 'stop', '+3years+1days')
-
- # RA agent cert will be expired and in CA_UNREACHABLE state
- check_status(self.replicas[0], 1, "CA_UNREACHABLE")
-
- # renew RA agent cert
- self.replicas[0].run_command(
- ['ipa-cert-fix', '-v'], stdin_text='yes\n'
+ # replica operations
+ # 'Server-Cert cert-pki-ca' cert will be in CA_UNREACHABLE state
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list',
+ '-d', paths.PKI_TOMCAT_ALIAS_DIR,
+ '-n', 'Server-Cert cert-pki-ca']
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('CA_UNREACHABLE'), req_id, timeout=600
+ )
+ # get initial expiry date to compare later with renewed cert
+ initial_expiry = get_cert_expiry(
+ self.replicas[0],
+ paths.PKI_TOMCAT_ALIAS_DIR,
+ 'Server-Cert cert-pki-ca'
)
- # LDAP/HTTP/PKINIT certs will be renewed automaticaly
- # after moving date on replica. This 3, 1 CA cert,
- # 1 RA agent cert. Check for total 5 valid certs.
- check_status(self.replicas[0], 5, "MONITORING")
+ # check that HTTP,LDAP,PKINIT are renewed and in MONITORING state
+ instance = realm_to_serverid(self.master.domain.realm)
+ dirsrv_cert = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
+ for cert in (paths.KDC_CERT, paths.HTTPD_CERT_FILE):
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list', '-f', cert]
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
- # get the req ids of all certs to renew remaining
- # certs by re-submitting it
- result = self.replicas[0].run_command(['getcert', 'list'])
- req_ids = re.findall(r'\d{14}', result.stdout_text)
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list', '-d', dirsrv_cert]
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
- # resubmit the certs to renew them
- for req_id in req_ids:
+ # check if replication working fine
+ testuser = 'testuser1'
+ password = 'Secret@123'
+ stdin = (f"{self.master.config.admin_password}\n"
+ f"{self.master.config.admin_password}\n"
+ f"{self.master.config.admin_password}\n")
+ self.master.run_command(['kinit', 'admin'], stdin_text=stdin)
+ tasks.user_add(self.master, testuser, password=password)
+ self.replicas[0].run_command(['kinit', 'admin'], stdin_text=stdin)
+ self.replicas[0].run_command(['ipa', 'user-show', testuser])
+
+ # renew shared certificates by resubmitting to certmonger
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ if needs_resubmit(self.replicas[0], req_id):
self.replicas[0].run_command(
['getcert', 'resubmit', '-i', req_id]
)
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
+ for cert_nick in ('auditSigningCert cert-pki-ca',
+ 'ocspSigningCert cert-pki-ca',
+ 'subsystemCert cert-pki-ca'):
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list',
+ '-d', paths.PKI_TOMCAT_ALIAS_DIR,
+ '-n', cert_nick]
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ if needs_resubmit(self.replicas[0], req_id):
+ self.replicas[0].run_command(
+ ['getcert', 'resubmit', '-i', req_id]
+ )
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
- check_status(self.master, 9, "MONITORING")
+ self.replicas[0].run_command(
+ ['ipa-cert-fix', '-v'], stdin_text='yes\n'
+ )
- # move date back on replica and master
- move_date(self.replicas[0], 'start', '-3years-1days')
- move_date(self.master, 'start', '-3years-1days')
+ check_status(self.replicas[0], 9, "MONITORING")
+
+ # Sometimes certmonger takes time to update the cert status
+ # So check in nssdb instead of relying on getcert command
+ renewed_expiry = get_cert_expiry(
+ self.replicas[0],
+ paths.PKI_TOMCAT_ALIAS_DIR,
+ 'Server-Cert cert-pki-ca'
+ )
+ assert renewed_expiry > initial_expiry
--
2.31.1