[Freeipa-devel] [freeipa PR#5892][opened] [Backport][ipa-4-9] ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg

Tue, 13 Jul 2021 00:44:43 -0700 

   URL: https://github.com/freeipa/freeipa/pull/5892
Author: mrizwan93
 Title: #5892: [Backport][ipa-4-9] ipatests: Test ipa-cert-fix warns when 
startup directive is missing from CS.cfg
Action: opened

PR body:
"""
Earlier it used to fail when startup directive missing from CS.cfg.
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
a warning than failing.

related: https://pagure.io/freeipa/issue/8890

Signed-off-by: Mohammad Rizwan <myu...@redhat.com>
Reviewed-By: Florence Blanc-Renaud <f...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5892/head:pr5892
git checkout pr5892

From a280b8c6118159fbf849b5803c54367449d56b13 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myu...@redhat.com>
Date: Thu, 24 Jun 2021 13:10:00 +0530
Subject: [PATCH] ipatests: Test ipa-cert-fix warns when startup directive is
 missing from CS.cfg

Earlier it used to fail when startup directive missing from CS.cfg.
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
a warning than failing.

related: https://pagure.io/freeipa/issue/8890

Signed-off-by: Mohammad Rizwan <myu...@redhat.com>
Reviewed-By: Florence Blanc-Renaud <f...@redhat.com>
---
 .../test_integration/test_ipa_cert_fix.py     | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index b2e92d4dcac..a32a7477ebc 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -180,6 +180,72 @@ def test_ipa_cert_fix_non_ipa(self):
                                          raiseonerr=False)
         assert result.returncode == 2
 
+    def test_missing_startup(self, expire_cert_critical):
+        """
+        Test ipa-cert-fix fails/warns when startup directive is missing
+
+        This test checks that if 'selftests.container.order.startup' directive
+        is missing from CS.cfg, ipa-cert-fix fails and throw proper error
+        message. It also checks that underlying command 'pki-server cert-fix'
+        should fail to renew the cert.
+
+        related: https://pagure.io/freeipa/issue/8721
+
+        With https://github.com/dogtagpki/pki/pull/3466, it changed to display
+        a warning than failing.
+
+        This test also checks that if 'selftests.container.order.startup'
+        directive is missing from CS.cfg, ipa-cert-fix dsplay proper warning
+        (depending on pki version)
+
+        related: https://pagure.io/freeipa/issue/8890
+        """
+        expire_cert_critical(self.master)
+        # pki must be stopped in order to edit CS.cfg
+        self.master.run_command(['ipactl', 'stop'])
+        self.master.run_command([
+            'sed', '-i', r'/selftests\.container\.order\.startup/d',
+            paths.CA_CS_CFG_PATH
+        ])
+        # dirsrv needs to be up in order to run ipa-cert-fix
+        self.master.run_command(['ipactl', 'start',
+                                 '--ignore-service-failures'])
+
+        result = self.master.run_command(['ipa-cert-fix', '-v'],
+                                         stdin_text='yes\n',
+                                         raiseonerr=False)
+
+        err_msg1 = "ERROR: 'selftests.container.order.startup'"
+        # check that pki-server cert-fix command fails
+        err_msg2 = ("ERROR: CalledProcessError(Command "
+                    "['pki-server', 'cert-fix'")
+        warn_msg = ("WARNING: No selftests configured in "
+                    f"{paths.CA_CS_CFG_PATH} "
+                    "(selftests.container.order.startup)")
+
+        if (tasks.get_pki_version(self.master)
+           < tasks.parse_version('10.11.0')):
+            assert (err_msg1 in result.stderr_text
+                    and err_msg2 in result.stderr_text)
+        else:
+            assert warn_msg in result.stdout_text
+
+    def test_expired_CA_cert(self, expire_ca_cert):
+        """Test to check ipa-cert-fix when CA certificate is expired
+
+        In order to fix expired certs using ipa-cert-fix, CA cert should be
+        valid. If CA cert expired, ipa-cert-fix won't work.
+
+        related: https://pagure.io/freeipa/issue/8721
+        """
+        result = self.master.run_command(['ipa-cert-fix', '-v'],
+                                         stdin_text='yes\n',
+                                         raiseonerr=False)
+        # check that pki-server cert-fix command fails
+        err_msg = ("ERROR: CalledProcessError(Command "
+                   "['pki-server', 'cert-fix'")
+        assert err_msg in result.stderr_text
+
 
 class TestIpaCertFixThirdParty(CALessBase):
     """

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to