URL: https://github.com/freeipa/freeipa/pull/4373 Author: ssidhaye Title: #4373: Test to check if Certmonger tracks certs in between reboots/interruptions Action: opened
PR body: """ Test to check if Certmonger tracks certs in between reboots/interruptions and while in "CA_WORKING" state A non-renewal master CA might submit a renewal request before the renewal master actually updating the certs. This is expected. But, if certmonger on this node is stopped/interrupted for any reason while the resubmit request is in "CA_WORKING" state it will not be able to track changes to this cert anymore. Pagure Issue: https://pagure.io/freeipa/issue/8164 Signed-off-by: Sumedh Sidhaye <ssidh...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4373/head:pr4373 git checkout pr4373
From 61253ef38b368afe8a416f17a682a81c789702c7 Mon Sep 17 00:00:00 2001 From: Sumedh Sidhaye <ssidh...@redhat.com> Date: Fri, 13 Mar 2020 17:07:43 +0530 Subject: [PATCH] Test to check if Certmonger tracks certs in between reboots/interruptions and while in "CA_WORKING" state A non-renewal master CA might submit a renewal request before the renewal master actually updating the certs. This is expected. But, if certmonger on this node is stopped/interrupted for any reason while the resubmit request is in "CA_WORKING" state it will not be able to track changes to this cert anymore. Pagure Issue: https://pagure.io/freeipa/issue/8164 Signed-off-by: Sumedh Sidhaye <ssidh...@redhat.com> --- ipatests/test_integration/test_cert.py | 48 ++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py index 7a3c95aba7..1515ea5a23 100644 --- a/ipatests/test_integration/test_cert.py +++ b/ipatests/test_integration/test_cert.py @@ -10,6 +10,7 @@ from __future__ import absolute_import import re +import time from ipatests.pytest_ipa.integration import tasks from ipatests.test_integration.base import IntegrationTest @@ -46,3 +47,50 @@ def test_cacert_file_appear_with_option_F(self): assert status == "MONITORING" self.clients[0].run_command(['ls', '-l', '/etc/pki/tls/test.CA']) + + +class TestInstallMasterReplica(IntegrationTest): + num_replicas = 1 + + @classmethod + def install(cls, mh): + tasks.install_master(cls.master) + tasks.install_replica(self.master, self.replicas[2], setup_ca=True, + setup_kra=False) + + def test_certmomger_tracks_renewed_certs_during_interruptions(self): + """Test to check if Certmonger tracks certs in between + reboots/interruptions and while in "CA_WORKING" state + + A non-renewal master CA might submit a renewal request before + the renewal master actually updating the certs. This is expected. + + But, if certmonger on this node is stopped/interrupted + for any reason while the resubmit request is in "CA_WORKING" state + it will not be able to track changes to this cert anymore. + + Pagure Issue: https://pagure.io/freeipa/issue/8164 + """ + cmd = ['getcert', 'resubmit', '-f', + '/var/lib/ipa/ra-agent.pem'] + result = self.replicas[0].run_command(cmd) + # assert 'CA_WORKING' in result.stdout_text + request_id = re.findall(r'\d+', result.stdout_text) + + # check if certificate is in CA_WORKING state + status = tasks.wait_for_request(self.clients[0], request_id[0], 50) + assert status == "CA_WORKING" + + # restart certmonger service on replica + self.replicas[0].run_command(['systemctl', 'restart', 'certmonger']) + time.sleep(15) + + cmd = ['getcert', 'list', '-f', '/var/lib/ipa/ra-agent.pem'] + result = self.replicas[0].run_command(cmd) + # check if certificate is in SUBMITTING state + status = tasks.wait_for_request(self.clients[0], request_id[0], 50) + assert status == "SUBMITTING" + + cmd = ['grep', '-P', "'certmonger|dogtag'", '/var/log/messages*'] + result = self.replicas[0].run_command(cmd) + assert "Invalid cookie: u''" not in result.stdout_text
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
