URL: https://github.com/freeipa/freeipa/pull/5393 Author: rcritten Title: #5393: Include the CA profile when modifying request in ipa_certupdate Action: opened
PR body: """ The CA tracking request is modified (it calls renew but it doesn't actually do a renewal) as part of ipa-certupdate and it dropped the profile. ipa-healthcheck discovered this condition. https://pagure.io/freeipa/issue/8644 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5393/head:pr5393 git checkout pr5393
From 9eb4dfedc54e4fda68b76bf2d32763dac370d60c Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 4 Jan 2021 17:01:33 -0500 Subject: [PATCH 1/3] Include the CA profile when modifying request in ipa_certupdate The CA tracking request is modified (it calls renew but it doesn't actually do a renewal) as part of ipa-certupdate and it dropped the profile. ipa-healthcheck discovered this condition. https://pagure.io/freeipa/issue/8644 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaclient/install/ipa_certupdate.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py index f6f2dec4dea..a49fc60482e 100644 --- a/ipaclient/install/ipa_certupdate.py +++ b/ipaclient/install/ipa_certupdate.py @@ -188,7 +188,8 @@ def update_server(certs): # logger.debug("resubmitting certmonger request '%s'", request_id) certmonger.resubmit_request( - request_id, ca='dogtag-ipa-ca-renew-agent-reuse', profile='') + request_id, ca='dogtag-ipa-ca-renew-agent-reuse', + profile='caCACert') try: state = certmonger.wait_for_request(request_id, timeout) except RuntimeError: From 906a1d9a21102fa7aa5777c3758f576ace0624ca Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 4 Jan 2021 17:03:39 -0500 Subject: [PATCH 2/3] ipatests: test that no errors are reported after ipa-certupdate The CA tracking request was modified to drop the profile which was caught by ipa-healthcheck. Run ipa-certupdate then ipa-healthcheck to confirm that no problems are introduced. https://pagure.io/freeipa/issue/8644 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipatests/test_integration/test_ipahealthcheck.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py index 5242fe8751e..7140b7bb4fa 100644 --- a/ipatests/test_integration/test_ipahealthcheck.py +++ b/ipatests/test_integration/test_ipahealthcheck.py @@ -1254,6 +1254,20 @@ def execute_expiring_check(check): # synced. Help chrony by resetting the date self.master.run_command(['date', '-s', now_str]) + def test_ipa_healthcheck_after_certupdate(self): + """ + Verify that ipa-certupdate hasn't messed up tracking + + ipa-certupdate was dropping the profile value from the CA + signing cert tracking. ipa-healthcheck discovered this. + + Run ipa-healthcheck after ipa-certupdate to ensure that + no problems are discovered. + """ + self.master.run_command([paths.IPA_CERTUPDATE]) + returncode, data = run_healthcheck(self.master) + assert returncode = 0 + """ IMPORTANT: Do not add tests after test_ipa_healthcheck_expiring as the system may be unstable after the date modification. From e6f7d299644efa8ad86efa0e763a446c62842ffd Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 4 Jan 2021 17:05:22 -0500 Subject: [PATCH 3/3] Temp commit --- .freeipa-pr-ci.yaml | 2 +- ipatests/prci_definitions/temp_commit.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b634..80656690080 120000 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index b297cd4e319..71f378814f2 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -68,7 +68,7 @@ jobs: class: RunPytest args: build_url: '{fedora-latest/build_url}' - test_suite: test_integration/test_REPLACEME.py + test_suite: test_integration/test_ipahealthcheck.py::TestIpaHealthCheck template: *ci-master-latest timeout: 3600 - topology: *master_1repl_1client + topology: *master_1repl
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
