rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.10.1-6

Browse Source 
- Resolves: rhbz#2169632 Backport latest test fixes in python3-ipatests

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2023-02-22 11:21:26 +01:00
parent 00abb6c62b
commit 86091b593d
9 changed files with 793 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
0015-webui-tests-fix-assertion-in-test_subid.py.patch Normal file
View File

@ -0,0 +1,36 @@
From c411c2e7b2e400829ffac250db81609ef3c56faa Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 29 Nov 2022 10:04:41 +0100
Subject: [PATCH] webui tests: fix assertion in test_subid.py
The test wants to check the error related to an
exception obtained inside a "with pytest.raises" instruction.
The object is an ExceptionInfo and offers a match method
to check the content of the string representation.
Use this match() method instead of str(excinfo) which now
returns
'<ExceptionInfo NoSuchElementException() tblen=10>'
Fixes: https://pagure.io/freeipa/issue/9282
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
---
ipatests/test_webui/test_subid.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py
index 104b5692da94437880e638c0b2bc8efd41bd969e..3aaf80ac885fea08d0bac7e2f46645fe207f2cb0 100644
--- a/ipatests/test_webui/test_subid.py
+++ b/ipatests/test_webui/test_subid.py
@@ -146,5 +146,5 @@ class test_subid(UI_driver):
with pytest.raises(NoSuchElementException) as excinfo:
self.delete_record(admin_uid, table_name="ipauniqueid")
# Ensure that the exception is really related to missing remove button
- msg = "Unable to locate element: .facet-controls button[name=remove]"
- assert msg in str(excinfo)
+ msg = r"Unable to locate element: .facet-controls button\[name=remove\]"
+ assert excinfo.match(msg)
--
2.39.1

29
0016-ipatests-mark-test_smb-as-xfail.patch Normal file
View File

@ -0,0 +1,29 @@
From b5f2b0b1b213149b5bfe2653c9e40de98249dc73 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 10 Jan 2023 11:45:17 +0100
Subject: [PATCH] ipatests: mark test_smb as xfail
Mark the test test_smb.py::TestSMB::test_smb_service_s4u2self as xfail.
Related: https://pagure.io/freeipa/issue/9124
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_integration/test_smb.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index eb3981bddb7ca9f72a0d2cb6c46e5c73de8623ac..30f8d5901afbcda95f27cd966ac03d47205dbb26 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -349,6 +349,7 @@ class TestSMB(IntegrationTest):
@pytest.mark.skipif(
osinfo.id == 'fedora' and osinfo.version_number <= (31,),
reason='Test requires krb 1.18')
+ @pytest.mark.xfail(reason="Pagure ticket 9124", strict=True)
def test_smb_service_s4u2self(self):
"""Test S4U2Self operation by IPA service
against both AD and IPA users
--
2.39.1

43
0017-Tests-force-key-type-in-ACME-tests.patch Normal file
View File

@ -0,0 +1,43 @@
From 36cba23f3f671886f5e7fa310c25a6e500c76e0b Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 16 Jan 2023 09:31:57 +0100
Subject: [PATCH] Tests: force key type in ACME tests
PKI can issue ACME certs only when the key type is rsa.
With version 2.0.0, certbot defaults to ecdsa key type,
and this causes test failures.
For now, force rsa when requesting an ACME certificate.
This change can be reverted when PKI fixes the issue
on their side (https://github.com/dogtagpki/pki/issues/4273)
Related: https://pagure.io/freeipa/issue/9298
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_acme.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index a30f2fc756783c0a5c28ecf32c1e40f422c47a19..15d7543cfb0fa0fcb921166f7cd8f13d0535a41d 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -131,6 +131,7 @@ def certbot_standalone_cert(host, acme_server):
'certonly',
'--domain', host.hostname,
'--standalone',
+ '--key-type', 'rsa',
]
)
@@ -305,6 +306,7 @@ class TestACME(CALessBase):
'--manual-public-ip-logging-ok',
'--manual-auth-hook', CERTBOT_DNS_IPA_SCRIPT,
'--manual-cleanup-hook', CERTBOT_DNS_IPA_SCRIPT,
+ '--key-type', 'rsa',
])
##############
--
2.39.1

36
0018-tests-Add-ipa_ca_name-checking-to-DNS-system-records.patch Normal file
View File

@ -0,0 +1,36 @@
From ff31b0c40cc5e046f839b98b80bd16bb649205ac Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 30 Jan 2023 11:54:36 -0500
Subject: [PATCH] tests: Add ipa_ca_name checking to DNS system records
freeipa-healthcheck 0.12 includes a SUCCESS message if the
ipa-ca records are as expected so a user will know they
were checked. For that version and beyond test that it
is included.
Related: https://pagure.io/freeipa/issue/9291
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 49a5779307ef05617fe9ae200f7149d120977355..94b0db0b7869e722955e232e1dddb26a2dc3d41e 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -810,7 +810,9 @@ class TestIpaHealthCheck(IntegrationTest):
+ [str(ip) for ip in resolve_ip_addresses_nss(h.external_hostname)]
]
SYSTEM_RECORDS.append(f'"{self.master.domain.realm.upper()}"')
-
+ version = tasks.get_healthcheck_version(self.master)
+ if parse_version(version) >= parse_version("0.12"):
+ SYSTEM_RECORDS.append('ipa_ca_check')
returncode, data = run_healthcheck(
self.master,
--
2.39.1

53
0019-tests-Add-new-ipa-ca-error-messages-to-IPADNSSystemR.patch Normal file
View File

@ -0,0 +1,53 @@
From 6ca119686aadfa72c0474f72758b63cd671952d4 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 30 Jan 2023 12:00:03 -0500
Subject: [PATCH] tests: Add new ipa-ca error messages to
IPADNSSystemRecordsCheck
freeipa-healthcheck changed some messages related to ipa-ca
DNS record validation in IPADNSSystemRecordsCheck. Include support
for it and retain backwards compatibility.
Fixes: https://pagure.io/freeipa/issue/9291
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipahealthcheck.py | 21 +++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 94b0db0b7869e722955e232e1dddb26a2dc3d41e..47f64f2cb36904ef61211423de7cf33d21a199c3 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -1614,12 +1614,21 @@ class TestIpaHealthCheckWithoutDNS(IntegrationTest):
Test checks the result of IPADNSSystemRecordsCheck
when ipa-server is configured without DNS.
"""
- expected_msgs = {
- "Expected SRV record missing",
- "Got {count} ipa-ca A records, expected {expected}",
- "Got {count} ipa-ca AAAA records, expected {expected}",
- "Expected URI record missing",
- }
+ version = tasks.get_healthcheck_version(self.master)
+ if (parse_version(version) < parse_version('0.12')):
+ expected_msgs = {
+ "Expected SRV record missing",
+ "Got {count} ipa-ca A records, expected {expected}",
+ "Got {count} ipa-ca AAAA records, expected {expected}",
+ "Expected URI record missing",
+ }
+ else:
+ expected_msgs = {
+ "Expected SRV record missing",
+ "Unexpected ipa-ca address {ipaddr}",
+ "expected ipa-ca to contain {ipaddr} for {server}",
+ "Expected URI record missing",
+ }
tasks.install_packages(self.master, HEALTHCHECK_PKG)
returncode, data = run_healthcheck(
--
2.39.1

445
0020-ipatests-tests-for-certificate-pruning.patch Normal file
View File

@ -0,0 +1,445 @@
From 0f77b359e241fc4055fb8d785e18f96338451ebf Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Mon, 6 Feb 2023 15:31:27 +0530
Subject: [PATCH] ipatests: tests for certificate pruning
1. Test to prune the expired certificate by manual run
2. Test to prune expired certificate by cron job
3. Test to prune expired certificate with retention unit option
4. Test to prune expired certificate with search size limit option
5. Test to check config-show command shows set param
6. Test prune command shows proper status after disabling the pruning
related: https://pagure.io/freeipa/issue/9294
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_acme.py | 306 +++++++++++++++++++++----
1 file changed, 260 insertions(+), 46 deletions(-)
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index 5ceba05976059de69414a79634d98045c3ab68bb..1334be52f4530dd8b2a4207744146cd0eb5477a3 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -122,21 +122,23 @@ def certbot_register(host, acme_server):
)
-def certbot_standalone_cert(host, acme_server):
+def certbot_standalone_cert(host, acme_server, no_of_cert=1):
"""method to issue a certbot's certonly standalone cert"""
# Get a cert from ACME service using HTTP challenge and Certbot's
# standalone HTTP server mode
host.run_command(['systemctl', 'stop', 'httpd'])
- host.run_command(
- [
- 'certbot',
- '--server', acme_server,
- 'certonly',
- '--domain', host.hostname,
- '--standalone',
- '--key-type', 'rsa',
- ]
- )
+ for _i in range(0, no_of_cert):
+ host.run_command(
+ [
+ 'certbot',
+ '--server', acme_server,
+ 'certonly',
+ '--domain', host.hostname,
+ '--standalone',
+ '--key-type', 'rsa',
+ '--force-renewal'
+ ]
+ )
class TestACME(CALessBase):
@@ -573,43 +575,41 @@ class TestACMEwithExternalCA(TestACME):
tasks.install_replica(cls.master, cls.replicas[0])
-class TestACMERenew(IntegrationTest):
-
- num_clients = 1
+@pytest.fixture
+def issue_and_expire_acme_cert():
+ """Fixture to expire cert by moving date past expiry of acme cert"""
+ hosts = []
- @classmethod
- def install(cls, mh):
-
- # install packages before client install in case of IPA DNS problems
- cls.acme_server = prepare_acme_client(cls.master, cls.clients[0])
+ def _issue_and_expire_acme_cert(
+ master, client,
+ acme_server_url, no_of_cert=1
+ ):
- tasks.install_master(cls.master, setup_dns=True)
- tasks.install_client(cls.master, cls.clients[0])
+ hosts.append(master)
+ hosts.append(client)
- @pytest.fixture
- def issue_and_expire_cert(self):
- """Fixture to expire cert by moving date past expiry of acme cert"""
# enable the ACME service on master
- self.master.run_command(['ipa-acme-manage', 'enable'])
+ master.run_command(['ipa-acme-manage', 'enable'])
# register the account with certbot
- certbot_register(self.clients[0], self.acme_server)
+ certbot_register(client, acme_server_url)
# request a standalone acme cert
- certbot_standalone_cert(self.clients[0], self.acme_server)
+ certbot_standalone_cert(client, acme_server_url, no_of_cert)
# move system date to expire acme cert
- for host in self.clients[0], self.master:
+ for host in hosts:
tasks.kdestroy_all(host)
tasks.move_date(host, 'stop', '+90days')
+ time.sleep(10)
tasks.get_kdcinfo(host)
# Note raiseonerr=False:
# the assert is located after kdcinfo retrieval.
- result = host.run_command(
+ result = master.run_command(
"KRB5_TRACE=/dev/stdout kinit admin",
stdin_text='{0}\n{0}\n{0}\n'.format(
- self.clients[0].config.admin_password
+ master.config.admin_password
),
raiseonerr=False
)
@@ -618,16 +618,28 @@ class TestACMERenew(IntegrationTest):
tasks.get_kdcinfo(host)
assert result.returncode == 0
- yield
+ yield _issue_and_expire_acme_cert
- # move back date
- for host in self.clients[0], self.master:
- tasks.kdestroy_all(host)
- tasks.move_date(host, 'start', '-90days')
- tasks.kinit_admin(host)
+ # move back date
+ for host in hosts:
+ tasks.move_date(host, 'start', '-90days')
+
+
+class TestACMERenew(IntegrationTest):
+
+ num_clients = 1
+
+ @classmethod
+ def install(cls, mh):
+
+ # install packages before client install in case of IPA DNS problems
+ cls.acme_server = prepare_acme_client(cls.master, cls.clients[0])
+
+ tasks.install_master(cls.master, setup_dns=True)
+ tasks.install_client(cls.master, cls.clients[0])
@pytest.mark.skipif(skip_certbot_tests, reason='certbot not available')
- def test_renew(self, issue_and_expire_cert):
+ def test_renew(self, issue_and_expire_acme_cert):
"""Test if ACME renews the issued cert with cerbot
This test is to check if ACME certificate renews upon
@@ -635,6 +647,8 @@ class TestACMERenew(IntegrationTest):
related: https://pagure.io/freeipa/issue/4751
"""
+ issue_and_expire_acme_cert(
+ self.master, self.clients[0], self.acme_server)
data = self.clients[0].get_file_contents(
f'/etc/letsencrypt/live/{self.clients[0].hostname}/cert.pem'
)
@@ -656,6 +670,7 @@ class TestACMEPrune(IntegrationTest):
"""Validate that ipa-acme-manage configures dogtag for pruning"""
random_serial = True
+ num_clients = 1
@classmethod
def install(cls, mh):
@@ -663,6 +678,8 @@ class TestACMEPrune(IntegrationTest):
raise pytest.skip("RNSv3 not supported")
tasks.install_master(cls.master, setup_dns=True,
random_serial=True)
+ cls.acme_server = prepare_acme_client(cls.master, cls.clients[0])
+ tasks.install_client(cls.master, cls.clients[0])
@classmethod
def uninstall(cls, mh):
@@ -718,7 +735,7 @@ class TestACMEPrune(IntegrationTest):
['ipa-acme-manage', 'pruning',
'--requestretention=60',
'--requestretentionunit=minute',
- '--requestresearchsizelimit=2000',
+ '--requestsearchsizelimit=2000',
'--requestsearchtimelimit=5',]
)
cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
@@ -741,7 +758,7 @@ class TestACMEPrune(IntegrationTest):
self.master.run_command(
['ipa-acme-manage', 'pruning',
- '--cron="0 23 1 * *',]
+ '--cron=0 23 1 * *',]
)
cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
assert (
@@ -760,7 +777,7 @@ class TestACMEPrune(IntegrationTest):
'--enable', '--disable'],
raiseonerr=False
)
- assert result.returncode == 1
+ assert result.returncode == 2
assert "Cannot both enable and disable" in result.stderr_text
for cmd in ('--config-show', '--run'):
@@ -769,20 +786,20 @@ class TestACMEPrune(IntegrationTest):
cmd, '--enable'],
raiseonerr=False
)
- assert result.returncode == 1
+ assert result.returncode == 2
assert "Cannot change and show config" in result.stderr_text
result = self.master.run_command(
['ipa-acme-manage', 'pruning',
- '--cron="* *"'],
+ '--cron=* *'],
raiseonerr=False
)
- assert result.returncode == 1
- assert "Invalid format format --cron" in result.stderr_text
+ assert result.returncode == 2
+ assert "Invalid format for --cron" in result.stderr_text
result = self.master.run_command(
['ipa-acme-manage', 'pruning',
- '--cron="100 * * * *"'],
+ '--cron=100 * * * *'],
raiseonerr=False
)
assert result.returncode == 1
@@ -790,8 +807,205 @@ class TestACMEPrune(IntegrationTest):
result = self.master.run_command(
['ipa-acme-manage', 'pruning',
- '--cron="10 1-5 * * *"'],
+ '--cron=10 1-5 * * *'],
raiseonerr=False
)
assert result.returncode == 1
assert "1-5 ranges are not supported" in result.stderr_text
+
+ def test_prune_cert_manual(self, issue_and_expire_acme_cert):
+ """Test to prune expired certificate by manual run"""
+ if (tasks.get_pki_version(self.master)
+ < tasks.parse_version('11.3.0')):
+ raise pytest.skip("Certificate pruning is not available")
+
+ issue_and_expire_acme_cert(
+ self.master, self.clients[0], self.acme_server)
+
+ # check that the certificate issued for the client
+ result = self.master.run_command(
+ ['ipa', 'cert-find', '--subject', self.clients[0].hostname]
+ )
+ assert f'CN={self.clients[0].hostname}' in result.stdout_text
+
+ # run prune command manually
+ self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
+ self.master.run_command(['ipactl', 'restart'])
+ self.master.run_command(['ipa-acme-manage', 'pruning', '--run'])
+ # wait for cert to get prune
+ time.sleep(50)
+
+ # check if client cert is removed
+ result = self.master.run_command(
+ ['ipa', 'cert-find', '--subject', self.clients[0].hostname],
+ raiseonerr=False
+ )
+ assert f'CN={self.clients[0].hostname}' not in result.stdout_text
+
+ def test_prune_cert_cron(self, issue_and_expire_acme_cert):
+ """Test to prune expired certificate by cron job"""
+ if (tasks.get_pki_version(self.master)
+ < tasks.parse_version('11.3.0')):
+ raise pytest.skip("Certificate pruning is not available")
+
+ issue_and_expire_acme_cert(
+ self.master, self.clients[0], self.acme_server)
+
+ # check that the certificate issued for the client
+ result = self.master.run_command(
+ ['ipa', 'cert-find', '--subject', self.clients[0].hostname]
+ )
+ assert f'CN={self.clients[0].hostname}' in result.stdout_text
+
+ # enable pruning
+ self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
+
+ # cron would be set to run the next minute
+ cron_minute = self.master.run_command(
+ [
+ "python3",
+ "-c",
+ (
+ "from datetime import datetime; "
+ "print(int(datetime.now().strftime('%M')) + 5)"
+ ),
+ ]
+ ).stdout_text.strip()
+ self.master.run_command(
+ ['ipa-acme-manage', 'pruning',
+ f'--cron={cron_minute} * * * *']
+ )
+ self.master.run_command(['ipactl', 'restart'])
+ # wait for 5 minutes to cron to execute and 20 sec for just in case
+ time.sleep(320)
+
+ # check if client cert is removed
+ result = self.master.run_command(
+ ['ipa', 'cert-find', '--subject', self.clients[0].hostname],
+ raiseonerr=False
+ )
+ assert f'CN={self.clients[0].hostname}' not in result.stdout_text
+
+ def test_prune_cert_retention_unit(self, issue_and_expire_acme_cert):
+ """Test to prune expired certificate with retention unit option"""
+ if (tasks.get_pki_version(self.master)
+ < tasks.parse_version('11.3.0')):
+ raise pytest.skip("Certificate pruning is not available")
+ issue_and_expire_acme_cert(
+ self.master, self.clients[0], self.acme_server)
+
+ # check that the certificate issued for the client
+ result = self.master.run_command(
+ ['ipa', 'cert-find', '--subject', self.clients[0].hostname]
+ )
+ assert f'CN={self.clients[0].hostname}' in result.stdout_text
+
+ # enable pruning
+ self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
+
+ # certretention set to 5 min
+ self.master.run_command(
+ ['ipa-acme-manage', 'pruning',
+ '--certretention=5', '--certretentionunit=minute']
+ )
+ self.master.run_command(['ipactl', 'restart'])
+
+ # wait for 5 min and check if expired cert is removed
+ time.sleep(310)
+ self.master.run_command(['ipa-acme-manage', 'pruning', '--run'])
+ result = self.master.run_command(
+ ['ipa', 'cert-find', '--subject', self.clients[0].hostname],
+ raiseonerr=False
+ )
+ assert f'CN={self.clients[0].hostname}' not in result.stdout_text
+
+ def test_prune_cert_search_size_limit(self, issue_and_expire_acme_cert):
+ """Test to prune expired certificate with search size limit option"""
+ if (tasks.get_pki_version(self.master)
+ < tasks.parse_version('11.3.0')):
+ raise pytest.skip("Certificate pruning is not available")
+ no_of_cert = 10
+ search_size_limit = 5
+ issue_and_expire_acme_cert(
+ self.master, self.clients[0], self.acme_server, no_of_cert)
+
+ # check that the certificate issued for the client
+ result = self.master.run_command(
+ ['ipa', 'cert-find', '--subject', self.clients[0].hostname]
+ )
+ assert f'CN={self.clients[0].hostname}' in result.stdout_text
+ assert f'Number of entries returned {no_of_cert}'
+
+ # enable pruning
+ self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
+
+ # certretention set to 5 min
+ self.master.run_command(
+ ['ipa-acme-manage', 'pruning',
+ f'--certsearchsizelimit={search_size_limit}',
+ '--certsearchtimelimit=100']
+ )
+ self.master.run_command(['ipactl', 'restart'])
+
+ # prune the certificates
+ self.master.run_command(['ipa-acme-manage', 'pruning', '--run'])
+
+ # check if 5 expired cert is removed
+ result = self.master.run_command(
+ ['ipa', 'cert-find', '--subject', self.clients[0].hostname]
+ )
+ assert f'Number of entries returned {no_of_cert - search_size_limit}'
+
+ def test_prune_config_show(self, issue_and_expire_acme_cert):
+ """Test to check config-show command shows set param"""
+ if (tasks.get_pki_version(self.master)
+ < tasks.parse_version('11.3.0')):
+ raise pytest.skip("Certificate pruning is not available")
+
+ self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
+ self.master.run_command(
+ ['ipa-acme-manage', 'pruning',
+ '--cron=0 0 1 * *']
+ )
+ self.master.run_command(
+ ['ipa-acme-manage', 'pruning',
+ '--certretention=30', '--certretentionunit=day']
+ )
+ self.master.run_command(
+ ['ipa-acme-manage', 'pruning',
+ '--certsearchsizelimit=1000', '--certsearchtimelimit=0']
+ )
+ self.master.run_command(
+ ['ipa-acme-manage', 'pruning',
+ '--requestretention=30', '--requestretentionunit=day']
+ )
+ self.master.run_command(
+ ['ipa-acme-manage', 'pruning',
+ '--requestsearchsizelimit=1000', '--requestsearchtimelimit=0']
+ )
+ result = self.master.run_command(
+ ['ipa-acme-manage', 'pruning', '--config-show']
+ )
+ assert 'Status: enabled' in result.stdout_text
+ assert 'Certificate Retention Time: 30' in result.stdout_text
+ assert 'Certificate Retention Unit: day' in result.stdout_text
+ assert 'Certificate Search Size Limit: 1000' in result.stdout_text
+ assert 'Certificate Search Time Limit: 100' in result.stdout_text
+ assert 'Request Retention Time: 30' in result.stdout_text
+ assert 'Request Retention Unit: day' in result.stdout_text
+ assert 'Request Search Size Limit' in result.stdout_text
+ assert 'Request Search Time Limit: 100' in result.stdout_text
+ assert 'cron Schedule: 0 0 1 * *' in result.stdout_text
+
+ def test_prune_disable(self, issue_and_expire_acme_cert):
+ """Test prune command throw error after disabling the pruning"""
+ if (tasks.get_pki_version(self.master)
+ < tasks.parse_version('11.3.0')):
+ raise pytest.skip("Certificate pruning is not available")
+
+ self.master.run_command(['ipa-acme-manage', 'pruning', '--disable'])
+ result = self.master.run_command(
+ ['ipa-acme-manage', 'pruning',
+ '--cron=0 0 1 * *']
+ )
+ assert 'Status: disabled' in result.stdout_text
--
2.39.1

65
0021-ipatests-ensure-that-ipa-automember-rebuild-prints-a.patch Normal file
View File

@ -0,0 +1,65 @@
From 88b9be29036a3580a8bccd31986fc30faa9852df Mon Sep 17 00:00:00 2001
From: mbhalodi <mbhalodi@redhat.com>
Date: Tue, 14 Feb 2023 15:04:58 +0530
Subject: [PATCH] ipatests: ensure that ipa automember-rebuild prints a warning
ipa automember-rebuild now prints a warning about CPU usage.
Ensure that the warning is properly displayed.
Related: https://pagure.io/freeipa/issue/9320
Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_automember.py | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_automember.py b/ipatests/test_integration/test_automember.py
index f013964140714db046a1aa6a92409244b2137727..7acd0d7bf895fec970f2bda8b54f4496280525b6 100644
--- a/ipatests/test_integration/test_automember.py
+++ b/ipatests/test_integration/test_automember.py
@@ -10,6 +10,9 @@ from ipapython.dn import DN
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
+msg = ('IMPORTANT: In case of a high number of users, hosts or '
+ 'groups, the operation may require high CPU usage.')
+
class TestAutounmembership(IntegrationTest):
"""Tests for autounmembership feature.
@@ -206,11 +209,13 @@ class TestAutounmembership(IntegrationTest):
assert self.is_user_member_of_group(user2, group1)
# Running automember-build so that user is part of correct group
- self.master.run_command(['ipa', 'automember-rebuild',
- '--users=%s' % user2])
+ result = self.master.run_command(['ipa', 'automember-rebuild',
+ '--users=%s' % user2])
assert self.is_user_member_of_group(user2, group2)
assert not self.is_user_member_of_group(user2, group1)
+ assert msg in result.stdout_text
+
finally:
# testcase cleanup
self.remove_user_automember(user2, raiseonerr=False)
@@ -240,12 +245,14 @@ class TestAutounmembership(IntegrationTest):
assert self.is_host_member_of_hostgroup(host2, hostgroup1)
# Running the automember-build so host is part of correct hostgroup
- self.master.run_command(
+ result = self.master.run_command(
['ipa', 'automember-rebuild', '--hosts=%s' % host2]
)
assert self.is_host_member_of_hostgroup(host2, hostgroup2)
assert not self.is_host_member_of_hostgroup(host2, hostgroup1)
+ assert msg in result.stdout_text
+
finally:
# testcase cleanup
self.remove_host_automember(host2, raiseonerr=False)
--
2.39.1

74
0022-ipatests-fix-tests-in-TestACMEPrune.patch Normal file
View File

@ -0,0 +1,74 @@
From e76b219c21d53b6bccce4ea3d18e2b61ac835e1f Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Mon, 20 Feb 2023 15:33:09 +0530
Subject: [PATCH] ipatests: fix tests in TestACMEPrune
When cron_minute + 5 > 59, cron job throwing error for it.
i.e 58 + 5 = 63 which is not acceptable value for cron minute.
Second fix is related to mismatch of confing setting and corresponding
assert.
Third fix is related to extending time by 60 minutes to properly
expire the certs.
related: https://pagure.io/freeipa/issue/9294
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_acme.py | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index 1334be52f4530dd8b2a4207744146cd0eb5477a3..49b173060f88d4b8e876d8e3461a935938518b44 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -600,7 +600,7 @@ def issue_and_expire_acme_cert():
# move system date to expire acme cert
for host in hosts:
tasks.kdestroy_all(host)
- tasks.move_date(host, 'stop', '+90days')
+ tasks.move_date(host, 'stop', '+90days+60minutes')
time.sleep(10)
tasks.get_kdcinfo(host)
@@ -622,7 +622,7 @@ def issue_and_expire_acme_cert():
# move back date
for host in hosts:
- tasks.move_date(host, 'start', '-90days')
+ tasks.move_date(host, 'start', '-90days-60minutes')
class TestACMERenew(IntegrationTest):
@@ -866,8 +866,9 @@ class TestACMEPrune(IntegrationTest):
"python3",
"-c",
(
- "from datetime import datetime; "
- "print(int(datetime.now().strftime('%M')) + 5)"
+ "from datetime import datetime, timedelta; "
+ "print(int((datetime.now() + "
+ "timedelta(minutes=5)).strftime('%M')))"
),
]
).stdout_text.strip()
@@ -990,11 +991,11 @@ class TestACMEPrune(IntegrationTest):
assert 'Certificate Retention Time: 30' in result.stdout_text
assert 'Certificate Retention Unit: day' in result.stdout_text
assert 'Certificate Search Size Limit: 1000' in result.stdout_text
- assert 'Certificate Search Time Limit: 100' in result.stdout_text
+ assert 'Certificate Search Time Limit: 0' in result.stdout_text
assert 'Request Retention Time: 30' in result.stdout_text
assert 'Request Retention Unit: day' in result.stdout_text
- assert 'Request Search Size Limit' in result.stdout_text
- assert 'Request Search Time Limit: 100' in result.stdout_text
+ assert 'Request Search Size Limit: 1000' in result.stdout_text
+ assert 'Request Search Time Limit: 0' in result.stdout_text
assert 'cron Schedule: 0 0 1 * *' in result.stdout_text
def test_prune_disable(self, issue_and_expire_acme_cert):
--
2.39.1

13
freeipa.spec
View File

@ -223,7 +223,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 5%{?rc_version:.%rc_version}%{?dist}
Release: 6%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -261,6 +261,14 @@ Patch0011: 0011-Fix-setting-values-of-0-in-ACME-pruning.patch
Patch0012: 0012-Wipe-the-ipa-ca-DNS-record-when-updating-system-reco.patch
Patch0013: 0013-ipa-kdb-PAC-consistency-checker-needs-to-handle-chil.patch
Patch0014: 0014-Add-test-for-SSH-with-GSSAPI-auth.patch
Patch0015: 0015-webui-tests-fix-assertion-in-test_subid.py.patch
Patch0016: 0016-ipatests-mark-test_smb-as-xfail.patch
Patch0017: 0017-Tests-force-key-type-in-ACME-tests.patch
Patch0018: 0018-tests-Add-ipa_ca_name-checking-to-DNS-system-records.patch
Patch0019: 0019-tests-Add-new-ipa-ca-error-messages-to-IPADNSSystemR.patch
Patch0020: 0020-ipatests-tests-for-certificate-pruning.patch
Patch0021: 0021-ipatests-ensure-that-ipa-automember-rebuild-prints-a.patch
Patch0022: 0022-ipatests-fix-tests-in-TestACMEPrune.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1748,6 +1756,9 @@ fi
%endif
%changelog
* Wed Feb 22 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.10.1-6
- Resolves: rhbz#2169632 Backport latest test fixes in python3-ipatests
* Mon Feb 13 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.10.1-5
- Resolves: rhbz#2162656 Passwordless (GSSAPI) SSH not working for subdomain
- Resolves: rhbz#2166326 Removing the last DNS type for ipa-ca does not work