Blob Blame History Raw
From e0aef5296b66c0b460f7e10993610fe68b312241 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Mon, 19 Apr 2021 12:08:28 +0530
Subject: [PATCH] ipatests: test to renew certs on replica using ipa-cert-fix

This test checks if ipa-cert-fix renews the certs on replica
after cert renewal on master.

related: https://pagure.io/freeipa/issue/7885

ipatests: refactor expire_cert_critical fixture

Defined method to move the date and refactor
expire_cert_critical fixture using it

ipatests: PEP8 fixes

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 .../test_integration/test_ipa_cert_fix.py     | 74 ++++++++++++++++++-
 1 file changed, 70 insertions(+), 4 deletions(-)

diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index f3cf59afc..a20996737 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -6,6 +6,7 @@
 Module provides tests for ipa-cert-fix CLI.
 """
 import pytest
+import re
 import time
 
 import logging
@@ -74,15 +75,15 @@ def expire_cert_critical():
                              extra_args=['--no-ntp'])
         if setup_kra:
             tasks.install_kra(host)
-        host.run_command(['systemctl', 'stop', 'chronyd'])
-        host.run_command(['date', '-s', '+3Years+1day'])
+
+        # move date to expire certs
+        move_date(host, 'stop', '+3Years+1day')
 
     yield _expire_cert_critical
 
     host = hosts.pop('host')
     tasks.uninstall_master(host)
-    host.run_command(['date', '-s', '-3Years-1day'])
-    host.run_command(['systemctl', 'start', 'chronyd'])
+    move_date(host, 'start', '-3Years-1day')
 
 
 class TestIpaCertFix(IntegrationTest):
@@ -336,3 +337,68 @@ class TestCertFixKRA(IntegrationTest):
         self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
 
         check_status(self.master, 12, "MONITORING")
+
+
+class TestCertFixReplica(IntegrationTest):
+
+    num_replicas = 1
+
+    @classmethod
+    def install(cls, mh):
+        tasks.install_master(
+            mh.master, setup_dns=False, extra_args=['--no-ntp']
+        )
+        tasks.install_replica(
+            mh.master, mh.replicas[0],
+            setup_dns=False, extra_args=['--no-ntp']
+        )
+
+    def test_renew_expired_cert_replica(self):
+        """Test renewal of certificates on replica with ipa-cert-fix
+
+        This is to check that ipa-cert-fix renews the certificates
+        on replica
+
+        related: https://pagure.io/freeipa/issue/7885
+        """
+        move_date(self.master, 'stop', '+3years+1days')
+
+        # wait for cert expiry
+        check_status(self.master, 8, "CA_UNREACHABLE")
+
+        self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
+
+        check_status(self.master, 9, "MONITORING")
+
+        # move system date to expire cert on replica
+        move_date(self.replicas[0], 'stop', '+3years+1days')
+
+        # RA agent cert will be expired and in CA_UNREACHABLE state
+        check_status(self.replicas[0], 1, "CA_UNREACHABLE")
+
+        # renew RA agent cert
+        self.replicas[0].run_command(
+            ['ipa-cert-fix', '-v'], stdin_text='yes\n'
+        )
+
+        # LDAP/HTTP/PKINIT certs will be renewed automaticaly
+        # after moving date on replica. This 3, 1 CA cert,
+        # 1 RA agent cert. Check for total 5 valid certs.
+        check_status(self.replicas[0], 5, "MONITORING")
+
+        # get the req ids of all certs to renew remaining
+        # certs by re-submitting it
+        result = self.replicas[0].run_command(['getcert', 'list'])
+        req_ids = re.findall(r'\d{14}', result.stdout_text)
+
+        # resubmit the certs to renew them
+        for req_id in req_ids:
+            self.replicas[0].run_command(
+                ['getcert', 'resubmit', '-i', req_id]
+            )
+
+        check_status(self.master, 9, "MONITORING")
+
+        # move date back on replica and master
+        move_date(self.replicas[0], 'start', '-3years-1days')
+        move_date(self.master, 'start', '-3years-1days')
-- 
2.31.1