URL: https://github.com/freeipa/freeipa/pull/4966 Author: flo-renaud Title: #4966: [Backport][ipa-4-8] ipatests: Test that healthcheck detects and reports expiration Action: opened
PR body: """ This PR was opened automatically because PR #4949 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4966/head:pr4966 git checkout pr4966
From 0e4f64978441ad599951282a406b86f48315c0e3 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <[email protected]> Date: Tue, 28 Jul 2020 11:47:14 -0400 Subject: [PATCH] ipatests: Test that healthcheck detects and reports expiration Set the date forward to while the certificates are still valid and run healthcheck to confirm that an appropriate warning is made. This validates two separate checks, one that relies on certmonger to report expiration and one that relies on the data on disk to determine expiration in case certmonger is out-of-date for some reason (belt and suspenders). Signed-off-by: Rob Crittenden <[email protected]> --- .../test_integration/test_ipahealthcheck.py | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py index 78d46fa15a..dca8594cc2 100644 --- a/ipatests/test_integration/test_ipahealthcheck.py +++ b/ipatests/test_integration/test_ipahealthcheck.py @@ -7,6 +7,7 @@ from __future__ import absolute_import +from datetime import datetime, timedelta import json import os import re @@ -14,6 +15,7 @@ import pytest from ipalib import api +from ipalib import x509 from ipapython.ipaldap import realm_to_serverid from ipapython.certdb import NSS_SQL_FILES from ipatests.pytest_ipa.integration import tasks @@ -740,6 +742,63 @@ def test_ipacertnsstrust_check(self, modify_cert_trust_attr): assert check["kw"]["dbdir"] == paths.PKI_TOMCAT_ALIAS_DIR assert check["kw"]["msg"] == error_msg + def test_ipa_healthcheck_expiring(self): + """ + There are two overlapping tests for expiring certs, check both. + """ + + def execute_expiring_check(check): + """ + Test that certmonger will report warnings if expiration is near + """ + + returncode, data = run_healthcheck( + self.master, + "ipahealthcheck.ipa.certs", + check, + ) + + assert returncode == 1 + assert len(data) == 9 # non-KRA is 9 tracked certs + + for check in data: + if check["result"] == "SUCCESS": + # The CA is not expired + request = self.master.run_command( + ["getcert", "list", "-i", check["kw"]["key"]] + ) + assert "caSigningCert cert-pki-ca" in request.stdout_text + else: + assert check["result"] == "WARNING" + if check["kw"]["days"] == 21: + # the httpd, 389-ds and KDC renewal dates are later + certs = (paths.HTTPD_CERT_FILE, paths.KDC_CERT, + '/etc/dirsrv/slapd-',) + request = self.master.run_command( + ["getcert", "list", "-i", check["kw"]["key"]] + ) + assert any(cert in request.stdout_text + for cert in certs) + else: + assert check["kw"]["days"] == 10 + + # Pick a cert to find the upcoming expiration + certfile = self.master.get_file_contents(paths.RA_AGENT_PEM) + cert = x509.load_certificate_list(certfile) + cert_expiry = cert[0].not_valid_after + + # move date to the grace period + self.master.run_command(['systemctl', 'stop', 'chronyd']) + grace_date = cert_expiry - timedelta(days=10) + grace_date = datetime.strftime(grace_date, "%Y-%m-%d 00:00:01 Z") + self.master.run_command(['date', '-s', grace_date]) + + for check in ("IPACertmongerExpirationCheck", + "IPACertfileExpirationCheck",): + execute_expiring_check(check) + + self.master.run_command(['systemctl', 'start', 'chronyd']) + def test_ipa_healthcheck_remove(self): """ This testcase checks the removal of of healthcheck tool
_______________________________________________ FreeIPA-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
