From e0aef5296b66c0b460f7e10993610fe68b312241 Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan Date: Mon, 19 Apr 2021 12:08:28 +0530 Subject: [PATCH] ipatests: test to renew certs on replica using ipa-cert-fix This test checks if ipa-cert-fix renews the certs on replica after cert renewal on master. related: https://pagure.io/freeipa/issue/7885 ipatests: refactor expire_cert_critical fixture Defined method to move the date and refactor expire_cert_critical fixture using it ipatests: PEP8 fixes Signed-off-by: Mohammad Rizwan Reviewed-By: Florence Blanc-Renaud --- .../test_integration/test_ipa_cert_fix.py | 74 ++++++++++++++++++- 1 file changed, 70 insertions(+), 4 deletions(-) diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py index f3cf59afc..a20996737 100644 --- a/ipatests/test_integration/test_ipa_cert_fix.py +++ b/ipatests/test_integration/test_ipa_cert_fix.py @@ -6,6 +6,7 @@ Module provides tests for ipa-cert-fix CLI. """ import pytest +import re import time import logging @@ -74,15 +75,15 @@ def expire_cert_critical(): extra_args=['--no-ntp']) if setup_kra: tasks.install_kra(host) - host.run_command(['systemctl', 'stop', 'chronyd']) - host.run_command(['date', '-s', '+3Years+1day']) + + # move date to expire certs + move_date(host, 'stop', '+3Years+1day') yield _expire_cert_critical host = hosts.pop('host') tasks.uninstall_master(host) - host.run_command(['date', '-s', '-3Years-1day']) - host.run_command(['systemctl', 'start', 'chronyd']) + move_date(host, 'start', '-3Years-1day') class TestIpaCertFix(IntegrationTest): @@ -336,3 +337,68 @@ class TestCertFixKRA(IntegrationTest): self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n') check_status(self.master, 12, "MONITORING") + + +class TestCertFixReplica(IntegrationTest): + + num_replicas = 1 + + @classmethod + def install(cls, mh): + tasks.install_master( + mh.master, setup_dns=False, extra_args=['--no-ntp'] + ) + tasks.install_replica( + mh.master, mh.replicas[0], + setup_dns=False, extra_args=['--no-ntp'] + ) + + def test_renew_expired_cert_replica(self): + """Test renewal of certificates on replica with ipa-cert-fix + + This is to check that ipa-cert-fix renews the certificates + on replica + + related: https://pagure.io/freeipa/issue/7885 + """ + move_date(self.master, 'stop', '+3years+1days') + + # wait for cert expiry + check_status(self.master, 8, "CA_UNREACHABLE") + + self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n') + + check_status(self.master, 9, "MONITORING") + + # move system date to expire cert on replica + move_date(self.replicas[0], 'stop', '+3years+1days') + + # RA agent cert will be expired and in CA_UNREACHABLE state + check_status(self.replicas[0], 1, "CA_UNREACHABLE") + + # renew RA agent cert + self.replicas[0].run_command( + ['ipa-cert-fix', '-v'], stdin_text='yes\n' + ) + + # LDAP/HTTP/PKINIT certs will be renewed automaticaly + # after moving date on replica. This 3, 1 CA cert, + # 1 RA agent cert. Check for total 5 valid certs. + check_status(self.replicas[0], 5, "MONITORING") + + # get the req ids of all certs to renew remaining + # certs by re-submitting it + result = self.replicas[0].run_command(['getcert', 'list']) + req_ids = re.findall(r'\d{14}', result.stdout_text) + + # resubmit the certs to renew them + for req_id in req_ids: + self.replicas[0].run_command( + ['getcert', 'resubmit', '-i', req_id] + ) + + check_status(self.master, 9, "MONITORING") + + # move date back on replica and master + move_date(self.replicas[0], 'start', '-3years-1days') + move_date(self.master, 'start', '-3years-1days') -- 2.31.1