URL: https://github.com/freeipa/freeipa/pull/5724 Author: flo-renaud Title: #5724: [Backport][ipa-4-9] ipatests: test to renew certs on replica using ipa-cert-fix Action: opened
PR body: """ This PR was opened automatically because PR #5653 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5724/head:pr5724 git checkout pr5724
From 122841cb88e4011f51ea8ff41674e77b11a66d63 Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan <myu...@redhat.com> Date: Mon, 19 Apr 2021 12:08:28 +0530 Subject: [PATCH] ipatests: test to renew certs on replica using ipa-cert-fix This test checks if ipa-cert-fix renews the certs on replica after cert renewal on master. related: https://pagure.io/freeipa/issue/7885 ipatests: refactor expire_cert_critical fixture Defined method to move the date and refactor expire_cert_critical fixture using it ipatests: PEP8 fixes Signed-off-by: Mohammad Rizwan <myu...@redhat.com> --- .../test_integration/test_ipa_cert_fix.py | 89 +++++++++++++++++-- 1 file changed, 83 insertions(+), 6 deletions(-) diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py index b2e92d4dcac..6d5d8a058dd 100644 --- a/ipatests/test_integration/test_ipa_cert_fix.py +++ b/ipatests/test_integration/test_ipa_cert_fix.py @@ -6,6 +6,7 @@ Module provides tests for ipa-cert-fix CLI. """ import pytest +import re import time import logging @@ -48,6 +49,16 @@ def check_status(host, cert_count, state, timeout=600): return count +def move_date(host, chrony_state, date_str): + """Helper method to move the date on given host + :param host: The host on which date is to be moved + :param chrony_state: State to which chrony service to be moved + :param date_str: date string to move the date i.e 2years1month1days + """ + host.run_command(['systemctl', chrony_state, 'chronyd']) + host.run_command(['date', '-s', date_str]) + + @pytest.fixture def expire_cert_critical(): """ @@ -64,15 +75,15 @@ def _expire_cert_critical(host, setup_kra=False): extra_args=['--no-ntp']) if setup_kra: tasks.install_kra(host) - host.run_command(['systemctl', 'stop', 'chronyd']) - host.run_command(['date', '-s', '+3Years+1day']) + + # move date to expire certs + move_date(host, 'stop', '+3Years+1day') yield _expire_cert_critical host = hosts.pop('host') tasks.uninstall_master(host) - host.run_command(['date', '-s', '-3Years-1day']) - host.run_command(['systemctl', 'start', 'chronyd']) + move_date(host, 'start', '-3Years-1day') class TestIpaCertFix(IntegrationTest): @@ -122,7 +133,8 @@ def test_missing_csr(self, expire_cert_critical): # Because of BZ 1897120, pki-cert-fix fails on pki-core 10.10.0 # https://bugzilla.redhat.com/show_bug.cgi?id=1897120 - if tasks.get_pki_version(self.master) != tasks.parse_version('10.10.0'): + if (tasks.get_pki_version(self.master) + != tasks.parse_version('10.10.0')): assert result.returncode == 0 # get the number of certs track by certmonger @@ -219,7 +231,7 @@ def test_third_party_certs(self): '--pin', self.master.config.admin_password, '-d', 'server.p12'] self.master.run_command(args) - self.master.run_command(['ipactl', 'restart',]) + self.master.run_command(['ipactl', 'restart']) # Run ipa-cert-fix. This is basically a no-op but tests that # the DS nickname is used and not a hardcoded value. @@ -250,3 +262,68 @@ def test_renew_expired_cert_with_kra(self, expire_cert_critical): self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n') check_status(self.master, 12, "MONITORING") + + +class TestCertFixReplica(IntegrationTest): + + num_replicas = 1 + + @classmethod + def install(cls, mh): + tasks.install_master( + mh.master, setup_dns=False, extra_args=['--no-ntp'] + ) + tasks.install_replica( + mh.master, mh.replicas[0], + setup_dns=False, extra_args=['--no-ntp'] + ) + + def test_renew_expired_cert_replica(self): + """Test renewal of certificates on replica with ipa-cert-fix + + This is to check that ipa-cert-fix renews the certificates + on replica + + related: https://pagure.io/freeipa/issue/7885 + """ + move_date(self.master, 'stop', '+3years+1days') + + # wait for cert expiry + check_status(self.master, 8, "CA_UNREACHABLE") + + self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n') + + check_status(self.master, 9, "MONITORING") + + # move system date to expire cert on replica + move_date(self.replicas[0], 'stop', '+3years+1days') + + # RA agent cert will be expired and in CA_UNREACHABLE state + check_status(self.replicas[0], 1, "CA_UNREACHABLE") + + # renew RA agent cert + self.replicas[0].run_command( + ['ipa-cert-fix', '-v'], stdin_text='yes\n' + ) + + # LDAP/HTTP/PKINIT certs will be renewed automaticaly + # after moving date on replica. This 3, 1 CA cert, + # 1 RA agent cert. Check for total 5 valid certs. + check_status(self.replicas[0], 5, "MONITORING") + + # get the req ids of all certs to renew remaining + # certs by re-submitting it + result = self.replicas[0].run_command(['getcert', 'list']) + req_ids = re.findall(r'\d{14}', result.stdout_text) + + # resubmit the certs to renew them + for req_id in req_ids: + self.replicas[0].run_command( + ['getcert', 'resubmit', '-i', req_id] + ) + + check_status(self.master, 9, "MONITORING") + + # move date back on replica and master + move_date(self.replicas[0], 'start', '-3years-1days') + move_date(self.master, 'start', '-3years-1days')
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
