ipa-4.9.6-6

- Resolves: rhbz#1998098 - Backport latest test fixes in python3-ipatests

0044-ipatests-Test-unsecure-nsupdate.patch

@@ -0,0 +1,162 @@
+From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Mon, 9 Aug 2021 20:57:22 +0530
+Subject: [PATCH] ipatests: Test unsecure nsupdate.
+
+The test configures an external bind server on the ipa-server
+(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
+
+When the IPA client is registered using ipa-client-install,
+DNS records are added for the client in the bind server using nsupdate.
+The first try is using GSS-TIG but fails as expected, and the client
+installer then tries with unauthenticated nsupdate.
+
+Related : https://pagure.io/freeipa/issue/8402
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ .../test_installation_client.py               | 118 ++++++++++++++++++
+ 1 file changed, 118 insertions(+)
+
+diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
+index fa59a5255..014b0f6ab 100644
+--- a/ipatests/test_integration/test_installation_client.py
++++ b/ipatests/test_integration/test_installation_client.py
+@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install.
+ 
+ from __future__ import absolute_import
+ 
++import pytest
++import re
+ import shlex
++import textwrap
+ 
++from ipaplatform.paths import paths
+ from ipatests.test_integration.base import IntegrationTest
+ from ipatests.pytest_ipa.integration import tasks
++from ipatests.pytest_ipa.integration.firewall import Firewall
+ 
+ 
+ class TestInstallClient(IntegrationTest):
+@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest):
+                              extra_args=['--ssh-trust-dns'])
+         result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
+         assert 'HostKeyAlgorithms' not in result.stdout_text
++
++
++class TestClientInstallBind(IntegrationTest):
++    """
++    The test configures an external bind server on the ipa-server
++    (not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
++    When the IPA client is registered using ipa-client-install,
++    DNS records are added for the client in the bind server using nsupdate.
++    The first try is using GSS-TIG but fails as expected, and the client
++    installer then tries with unauthenticated nsupdate.
++    """
++
++    num_clients = 1
++
++    @classmethod
++    def install(cls, mh):
++        cls.client = cls.clients[0]
++
++    @pytest.fixture
++    def setup_bindserver(self):
++        bindserver = self.master
++        named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF)
++        # create a zone in the BIND server that is identical to the IPA
++        add_zone = textwrap.dedent("""
++        zone "{domain}" IN {{ type master;
++        file "{domain}.db"; allow-query {{ any; }};
++        allow-update {{ any; }}; }};
++        """).format(domain=bindserver.domain.name)
++
++        namedcfg = bindserver.get_file_contents(
++            paths.NAMED_CONF, encoding='utf-8')
++        namedcfg += '\n' + add_zone
++        bindserver.put_file_contents(paths.NAMED_CONF, namedcfg)
++
++        def update_contents(path, pattern, replace):
++            contents = bindserver.get_file_contents(path, encoding='utf-8')
++            namedcfg_query = re.sub(pattern, replace, contents)
++            bindserver.put_file_contents(path, namedcfg_query)
++
++        update_contents(paths.NAMED_CONF, 'localhost;', 'any;')
++        update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };",
++                        "#listen-on port 53 { 127.0.0.1; };")
++        update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };",
++                        "#listen-on-v6 port 53 { ::1; };")
++
++        add_records = textwrap.dedent("""
++        @   IN  SOA     {fqdn}. root.{domain}. (
++        1001    ;Serial
++        3H      ;Refresh
++        15M     ;Retry
++        1W      ;Expire
++        1D      ;Minimum 1D
++        )
++        @      IN  NS      {fqdn}.
++        ns1 IN  A       {bindserverip}
++        _kerberos.{domain}. IN TXT {zoneupper}
++        {fqdn}.    IN  A       {bindserverip}
++        ipa-ca.{domain}.        IN  A       {bindserverip}
++        _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
++        _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}.
++        _kerberos._tcp.{domain}. 	IN SRV 0 100 88 {fqdn}.
++        _kerberos._udp.{domain}. 	IN SRV 0 100 88 {fqdn}.
++        _kpasswd._tcp.{domain}. 	IN SRV 0 100 464 {fqdn}.
++        _kpasswd._udp.{domain}. 	IN SRV 0 100 464 {fqdn}.
++        _ldap._tcp.{domain}. 		IN SRV 0 100 389 {fqdn}.
++        """).format(
++            fqdn=bindserver.hostname,
++            domain=bindserver.domain.name,
++            bindserverip=bindserver.ip,
++            zoneupper=bindserver.domain.name.upper()
++        )
++        bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name)
++        bindserver.put_file_contents(bindserverdb, add_records)
++        bindserver.run_command(['systemctl', 'start', 'named'])
++        Firewall(bindserver).enable_services(["dns"])
++        yield
++        named_conf_backup.restore()
++        bindserver.run_command(['rm', '-rf', bindserverdb])
++
++    def test_client_nsupdate(self, setup_bindserver):
++        """Test secure nsupdate failed, then try unsecure nsupdate..
++
++        Test to verify when bind is configured with dynamic update policy,
++        and during client-install 'nsupdate -g' fails then it should run with
++        second call using unauthenticated nsupdate.
++
++        Related : https://pagure.io/freeipa/issue/8402
++        """
++        # with pre-configured bind server, install ipa-server without dns.
++        tasks.install_master(self.master, setup_dns=False)
++        self.client.resolver.backup()
++        self.client.resolver.setup_resolver(
++            self.master.ip, self.master.domain.name)
++        try:
++            self.client.run_command(['ipa-client-install', '-U',
++                                     '--domain', self.client.domain.name,
++                                     '--realm', self.client.domain.realm,
++                                     '-p', self.client.config.admin_name,
++                                     '-w', self.client.config.admin_password,
++                                     '--server', self.master.hostname])
++            # call unauthenticated nsupdate if GSS-TSIG nsupdate failed.
++            str1 = "nsupdate (GSS-TSIG) failed"
++            str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'"
++            client_log = self.client.get_file_contents(
++                paths.IPACLIENT_INSTALL_LOG, encoding='utf-8'
++            )
++            assert str1 in client_log and str2 in client_log
++            dig_after = self.client.run_command(
++                ['dig', '@{0}'.format(self.master.ip), self.client.hostname,
++                 '-t', 'SSHFP'])
++            assert "ANSWER: 0" not in dig_after.stdout_text.strip()
++        finally:
++            self.client.resolver.restore()
+-- 
+2.31.1
+

0045-ipatests-Fix-TestAJPSecretUpgrade-tests-on-systems-w.patch

@@ -0,0 +1,88 @@
+From c9bc471e063f2865d6423e4f1c9b81e73a45e43f Mon Sep 17 00:00:00 2001
+From: Stanislav Levin <slev@altlinux.org>
+Date: Wed, 4 Aug 2021 18:38:16 +0300
+Subject: [PATCH] ipatests: Fix TestAJPSecretUpgrade tests on systems without
+ pkiuser
+
+Tests in `test_ipaserver.test_secure_ajp_connector' assume that there
+is pkiuser in OS, but this is not always true (for example, in systems
+having minimum installed dependencies, in particular, without pki-server
+RPM package). Since the tests already use the mock and pkiuser entity is
+not the subject of testing the pwd.getpwnam has been mocked.
+
+Fixes: https://pagure.io/freeipa/issue/8942
+Signed-off-by: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ .../test_secure_ajp_connector.py              | 40 ++++++++++++++++---
+ 1 file changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/ipatests/test_ipaserver/test_secure_ajp_connector.py b/ipatests/test_ipaserver/test_secure_ajp_connector.py
+index 2719dbc48..35ef7407a 100644
+--- a/ipatests/test_ipaserver/test_secure_ajp_connector.py
++++ b/ipatests/test_ipaserver/test_secure_ajp_connector.py
+@@ -1,5 +1,6 @@
+ # Copyright (C) 2021  FreeIPA Project Contributors - see LICENSE file
+ 
++from collections import namedtuple
+ from io import BytesIO
+ from lxml.etree import parse as myparse  # pylint: disable=no-name-in-module
+ import pytest
+@@ -32,6 +33,32 @@ def mock_etree_parse(data):
+     return myparse(f)
+ 
+ 
++def mock_pkiuser_entity():
++    """Return struct_passwd for mocked pkiuser"""
++    StructPasswd = namedtuple(
++        "StructPasswd",
++        [
++            "pw_name",
++            "pw_passwd",
++            "pw_uid",
++            "pw_gid",
++            "pw_gecos",
++            "pw_dir",
++            "pw_shell",
++        ]
++    )
++    pkiuser_entity = StructPasswd(
++        constants.PKI_USER,
++        pw_passwd="x",
++        pw_uid=-1,
++        pw_gid=-1,
++        pw_gecos="",
++        pw_dir="/dev/null",
++        pw_shell="/sbin/nologin",
++    )
++    return pkiuser_entity
++
++
+ # Format of test_data is:
+ #    (
+ #        is_newer_tomcat (boolean),
+@@ -148,14 +175,15 @@ test_data = (
+ 
+ 
+ class TestAJPSecretUpgrade:
+-    @patch('os.chown')
+-    @patch('lxml.etree.parse')
+-    @pytest.mark.parametrize('is_newer, data, secret, expect, rewrite',
+-                             test_data)
+-    def test_connecter(self, mock_parse, mock_chown, is_newer, data, secret,
+-                       expect, rewrite):
++    @patch("ipaplatform.base.constants.pwd.getpwnam")
++    @patch("ipaplatform.base.constants.os.chown")
++    @patch("ipaserver.install.dogtaginstance.lxml.etree.parse")
++    @pytest.mark.parametrize("test_data", test_data)
++    def test_connecter(self, mock_parse, mock_chown, mock_getpwnam, test_data):
++        is_newer, data, secret, expect, rewrite = test_data
+         mock_chown.return_value = None
+         mock_parse.return_value = mock_etree_parse(data)
++        mock_getpwnam.return_value = mock_pkiuser_entity()
+ 
+         dogtag = MyDogtagInstance(is_newer)
+         with patch('ipaserver.install.dogtaginstance.open', mock_open()) \
+-- 
+2.31.1
+

0046-ipatests-test_ipahealthcheck-Verify-permissions-for-.patch

@@ -0,0 +1,54 @@
+From 488ac7e3ba9f36d6b187687d120920d2d80d8b7f Mon Sep 17 00:00:00 2001
+From: Michal Polovka <mpolovka@redhat.com>
+Date: Tue, 10 Aug 2021 18:11:05 +0200
+Subject: [PATCH] ipatests: test_ipahealthcheck: Verify permissions for
+ /var/log/ files
+
+Test if files in /var/log are being checked with ipahealthcheck.ipa.files source.
+
+Resolves: https://pagure.io/freeipa/issue/8949
+
+Signed-off-by: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ .../test_integration/test_ipahealthcheck.py   | 23 +++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
+index 36fe72be7..089793a2f 100644
+--- a/ipatests/test_integration/test_ipahealthcheck.py
++++ b/ipatests/test_integration/test_ipahealthcheck.py
+@@ -1227,6 +1227,29 @@ class TestIpaHealthCheck(IntegrationTest):
+         )
+         assert msg in cmd.stdout_text
+ 
++    def test_ipahealthcheck_verify_perms_for_source_files(self,
++                                                          modify_permissions):
++        """
++        This tests checks if files in /var/log are checked with ipa.files
++        source.
++        The test modifies permissions of ipainstall log file and checks the
++        response from healthcheck.
++
++        https://pagure.io/freeipa/issue/8949
++        """
++        modify_permissions(self.master, path=paths.IPASERVER_INSTALL_LOG,
++                           mode="0644")
++        returncode, data = run_healthcheck(
++            self.master, "ipahealthcheck.ipa.files", failures_only=True)
++
++        assert returncode == 1
++        assert len(data) == 1
++        assert data[0]["result"] == "WARNING"
++        assert data[0]["kw"]["path"] == paths.IPASERVER_INSTALL_LOG
++        assert data[0]["kw"]["type"] == "mode"
++        assert data[0]["kw"]["expected"] == "0600"
++
++
+     @pytest.fixture
+     def remove_healthcheck(self):
+         """
+-- 
+2.31.1
+

0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch

@@ -0,0 +1,127 @@
+From e0aef5296b66c0b460f7e10993610fe68b312241 Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Mon, 19 Apr 2021 12:08:28 +0530
+Subject: [PATCH] ipatests: test to renew certs on replica using ipa-cert-fix
+
+This test checks if ipa-cert-fix renews the certs on replica
+after cert renewal on master.
+
+related: https://pagure.io/freeipa/issue/7885
+
+ipatests: refactor expire_cert_critical fixture
+
+Defined method to move the date and refactor
+expire_cert_critical fixture using it
+
+ipatests: PEP8 fixes
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ .../test_integration/test_ipa_cert_fix.py     | 74 ++++++++++++++++++-
+ 1 file changed, 70 insertions(+), 4 deletions(-)
+
+diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
+index f3cf59afc..a20996737 100644
+--- a/ipatests/test_integration/test_ipa_cert_fix.py
++++ b/ipatests/test_integration/test_ipa_cert_fix.py
+@@ -6,6 +6,7 @@
+ Module provides tests for ipa-cert-fix CLI.
+ """
+ import pytest
++import re
+ import time
+ 
+ import logging
+@@ -74,15 +75,15 @@ def expire_cert_critical():
+                              extra_args=['--no-ntp'])
+         if setup_kra:
+             tasks.install_kra(host)
+-        host.run_command(['systemctl', 'stop', 'chronyd'])
+-        host.run_command(['date', '-s', '+3Years+1day'])
++
++        # move date to expire certs
++        move_date(host, 'stop', '+3Years+1day')
+ 
+     yield _expire_cert_critical
+ 
+     host = hosts.pop('host')
+     tasks.uninstall_master(host)
+-    host.run_command(['date', '-s', '-3Years-1day'])
+-    host.run_command(['systemctl', 'start', 'chronyd'])
++    move_date(host, 'start', '-3Years-1day')
+ 
+ 
+ class TestIpaCertFix(IntegrationTest):
+@@ -336,3 +337,68 @@ class TestCertFixKRA(IntegrationTest):
+         self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
+ 
+         check_status(self.master, 12, "MONITORING")
++
++
++class TestCertFixReplica(IntegrationTest):
++
++    num_replicas = 1
++
++    @classmethod
++    def install(cls, mh):
++        tasks.install_master(
++            mh.master, setup_dns=False, extra_args=['--no-ntp']
++        )
++        tasks.install_replica(
++            mh.master, mh.replicas[0],
++            setup_dns=False, extra_args=['--no-ntp']
++        )
++
++    def test_renew_expired_cert_replica(self):
++        """Test renewal of certificates on replica with ipa-cert-fix
++
++        This is to check that ipa-cert-fix renews the certificates
++        on replica
++
++        related: https://pagure.io/freeipa/issue/7885
++        """
++        move_date(self.master, 'stop', '+3years+1days')
++
++        # wait for cert expiry
++        check_status(self.master, 8, "CA_UNREACHABLE")
++
++        self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
++
++        check_status(self.master, 9, "MONITORING")
++
++        # move system date to expire cert on replica
++        move_date(self.replicas[0], 'stop', '+3years+1days')
++
++        # RA agent cert will be expired and in CA_UNREACHABLE state
++        check_status(self.replicas[0], 1, "CA_UNREACHABLE")
++
++        # renew RA agent cert
++        self.replicas[0].run_command(
++            ['ipa-cert-fix', '-v'], stdin_text='yes\n'
++        )
++
++        # LDAP/HTTP/PKINIT certs will be renewed automaticaly
++        # after moving date on replica. This 3, 1 CA cert,
++        # 1 RA agent cert. Check for total 5 valid certs.
++        check_status(self.replicas[0], 5, "MONITORING")
++
++        # get the req ids of all certs to renew remaining
++        # certs by re-submitting it
++        result = self.replicas[0].run_command(['getcert', 'list'])
++        req_ids = re.findall(r'\d{14}', result.stdout_text)
++
++        # resubmit the certs to renew them
++        for req_id in req_ids:
++            self.replicas[0].run_command(
++                ['getcert', 'resubmit', '-i', req_id]
++            )
++
++        check_status(self.master, 9, "MONITORING")
++
++        # move date back on replica and master
++        move_date(self.replicas[0], 'start', '-3years-1days')
++        move_date(self.master, 'start', '-3years-1days')
+-- 
+2.31.1
+

0048-ipatests-wait-while-http-ldap-pkinit-cert-get-renew-.patch

@@ -0,0 +1,252 @@
+From a620e5e9e152defe144705913521c3cf556faa0e Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Mon, 26 Apr 2021 15:50:20 +0530
+Subject: [PATCH] ipatests: wait while http/ldap/pkinit cert get renew on
+ replica
+
+LDAP/HTTP/PKINIT certificates should be renewd on replica after
+moving system date. Test was failing because ipa-cert-fix ran
+while these cert was not renewd and it tried to fix it.
+
+This test adds check for replication before calling ipa-cert-fix
+on replica.
+
+Fixes: https://pagure.io/freeipa/issue/8815
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Sergey Orlov <sorlov@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ .../test_integration/test_ipa_cert_fix.py     | 172 +++++++++++++++---
+ 1 file changed, 144 insertions(+), 28 deletions(-)
+
+diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
+index a20996737..fa69743e2 100644
+--- a/ipatests/test_integration/test_ipa_cert_fix.py
++++ b/ipatests/test_integration/test_ipa_cert_fix.py
+@@ -5,16 +5,19 @@
+ """
+ Module provides tests for ipa-cert-fix CLI.
+ """
++from cryptography.hazmat.backends import default_backend
++from cryptography import x509
++from datetime import datetime, date
+ import pytest
+-import re
+ import time
+ 
+ import logging
+ from ipaplatform.paths import paths
++from ipapython.ipaldap import realm_to_serverid
+ from ipatests.pytest_ipa.integration import tasks
+ from ipatests.test_integration.base import IntegrationTest
+ from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
+-
++from ipatests.test_integration.test_cert import get_certmonger_fs_id
+ 
+ logger = logging.getLogger(__name__)
+ 
+@@ -59,6 +62,49 @@ def move_date(host, chrony_state, date_str):
+     host.run_command(['date', '-s', date_str])
+ 
+ 
++def needs_resubmit(host, req_id):
++    """Helper method to identify if cert request needs to be resubmitted
++    :param host: the host
++    :param req_id: request id to perform operation for
++
++    Returns True if resubmit needed else False
++    """
++    # check if cert is in monitoring state
++    tasks.wait_for_certmonger_status(
++        host, ('MONITORING'), req_id, timeout=600
++    )
++
++    # check if cert is valid and not expired
++    cmd = host.run_command(
++        'getcert list -i {} | grep expires'.format(req_id)
++    )
++    cert_expiry = cmd.stdout_text.split(' ')
++    cert_expiry = datetime.strptime(cert_expiry[1], '%Y-%m-%d').date()
++    if cert_expiry > date.today():
++        return False
++    else:
++        return True
++
++
++def get_cert_expiry(host, nssdb_path, cert_nick):
++    """Method to get cert expiry date of given certificate
++
++    :param host: the host
++    :param nssdb_path: nssdb path of certificate
++    :param cert_nick: certificate nick name for extracting cert from nssdb
++    """
++    # get initial expiry date to compare later with renewed cert
++    host.run_command([
++        'certutil', '-L', '-a',
++        '-d', nssdb_path,
++        '-n', cert_nick,
++        '-o', '/root/cert.pem'
++    ])
++    data = host.get_file_contents('/root/cert.pem')
++    cert = x509.load_pem_x509_certificate(data, backend=default_backend())
++    return cert.not_valid_after
++
++
+ @pytest.fixture
+ def expire_cert_critical():
+     """
+@@ -353,7 +399,19 @@ class TestCertFixReplica(IntegrationTest):
+             setup_dns=False, extra_args=['--no-ntp']
+         )
+ 
+-    def test_renew_expired_cert_replica(self):
++    @pytest.fixture
++    def expire_certs(self):
++        # move system date to expire certs
++        for host in self.master, self.replicas[0]:
++            tasks.move_date(host, 'stop', '+3years+1days')
++
++        yield
++
++        # move date back on replica and master
++        for host in self.master, self.replicas[0]:
++            tasks.move_date(host, 'start', '-3years-1days')
++
++    def test_renew_expired_cert_replica(self, expire_certs):
+         """Test renewal of certificates on replica with ipa-cert-fix
+ 
+         This is to check that ipa-cert-fix renews the certificates
+@@ -361,8 +419,6 @@ class TestCertFixReplica(IntegrationTest):
+ 
+         related: https://pagure.io/freeipa/issue/7885
+         """
+-        move_date(self.master, 'stop', '+3years+1days')
+-
+         # wait for cert expiry
+         check_status(self.master, 8, "CA_UNREACHABLE")
+ 
+@@ -370,35 +426,95 @@ class TestCertFixReplica(IntegrationTest):
+ 
+         check_status(self.master, 9, "MONITORING")
+ 
+-        # move system date to expire cert on replica
+-        move_date(self.replicas[0], 'stop', '+3years+1days')
+-
+-        # RA agent cert will be expired and in CA_UNREACHABLE state
+-        check_status(self.replicas[0], 1, "CA_UNREACHABLE")
+-
+-        # renew RA agent cert
+-        self.replicas[0].run_command(
+-            ['ipa-cert-fix', '-v'], stdin_text='yes\n'
++        # replica operations
++        # 'Server-Cert cert-pki-ca' cert will be in CA_UNREACHABLE state
++        cmd = self.replicas[0].run_command(
++            ['getcert', 'list',
++             '-d', paths.PKI_TOMCAT_ALIAS_DIR,
++             '-n', 'Server-Cert cert-pki-ca']
++        )
++        req_id = get_certmonger_fs_id(cmd.stdout_text)
++        tasks.wait_for_certmonger_status(
++            self.replicas[0], ('CA_UNREACHABLE'), req_id, timeout=600
++        )
++        # get initial expiry date to compare later with renewed cert
++        initial_expiry = get_cert_expiry(
++            self.replicas[0],
++            paths.PKI_TOMCAT_ALIAS_DIR,
++            'Server-Cert cert-pki-ca'
+         )
+ 
+-        # LDAP/HTTP/PKINIT certs will be renewed automaticaly
+-        # after moving date on replica. This 3, 1 CA cert,
+-        # 1 RA agent cert. Check for total 5 valid certs.
+-        check_status(self.replicas[0], 5, "MONITORING")
++        # check that HTTP,LDAP,PKINIT are renewed and in MONITORING state
++        instance = realm_to_serverid(self.master.domain.realm)
++        dirsrv_cert = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
++        for cert in (paths.KDC_CERT, paths.HTTPD_CERT_FILE):
++            cmd = self.replicas[0].run_command(
++                ['getcert', 'list', '-f', cert]
++            )
++            req_id = get_certmonger_fs_id(cmd.stdout_text)
++            tasks.wait_for_certmonger_status(
++                self.replicas[0], ('MONITORING'), req_id, timeout=600
++            )
+ 
+-        # get the req ids of all certs to renew remaining
+-        # certs by re-submitting it
+-        result = self.replicas[0].run_command(['getcert', 'list'])
+-        req_ids = re.findall(r'\d{14}', result.stdout_text)
++        cmd = self.replicas[0].run_command(
++            ['getcert', 'list', '-d', dirsrv_cert]
++        )
++        req_id = get_certmonger_fs_id(cmd.stdout_text)
++        tasks.wait_for_certmonger_status(
++            self.replicas[0], ('MONITORING'), req_id, timeout=600
++        )
+ 
+-        # resubmit the certs to renew them
+-        for req_id in req_ids:
++        # check if replication working fine
++        testuser = 'testuser1'
++        password = 'Secret@123'
++        stdin = (f"{self.master.config.admin_password}\n"
++                 f"{self.master.config.admin_password}\n"
++                 f"{self.master.config.admin_password}\n")
++        self.master.run_command(['kinit', 'admin'], stdin_text=stdin)
++        tasks.user_add(self.master, testuser, password=password)
++        self.replicas[0].run_command(['kinit', 'admin'], stdin_text=stdin)
++        self.replicas[0].run_command(['ipa', 'user-show', testuser])
++
++        # renew shared certificates by resubmitting to certmonger
++        cmd = self.replicas[0].run_command(
++            ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
++        )
++        req_id = get_certmonger_fs_id(cmd.stdout_text)
++        if needs_resubmit(self.replicas[0], req_id):
+             self.replicas[0].run_command(
+                 ['getcert', 'resubmit', '-i', req_id]
+             )
++            tasks.wait_for_certmonger_status(
++                self.replicas[0], ('MONITORING'), req_id, timeout=600
++            )
++        for cert_nick in ('auditSigningCert cert-pki-ca',
++                          'ocspSigningCert cert-pki-ca',
++                          'subsystemCert cert-pki-ca'):
++            cmd = self.replicas[0].run_command(
++                ['getcert', 'list',
++                 '-d', paths.PKI_TOMCAT_ALIAS_DIR,
++                 '-n', cert_nick]
++            )
++            req_id = get_certmonger_fs_id(cmd.stdout_text)
++            if needs_resubmit(self.replicas[0], req_id):
++                self.replicas[0].run_command(
++                    ['getcert', 'resubmit', '-i', req_id]
++                )
++                tasks.wait_for_certmonger_status(
++                    self.replicas[0], ('MONITORING'), req_id, timeout=600
++                )
+ 
+-        check_status(self.master, 9, "MONITORING")
++        self.replicas[0].run_command(
++            ['ipa-cert-fix', '-v'], stdin_text='yes\n'
++        )
+ 
+-        # move date back on replica and master
+-        move_date(self.replicas[0], 'start', '-3years-1days')
+-        move_date(self.master, 'start', '-3years-1days')
++        check_status(self.replicas[0], 9, "MONITORING")
++
++        # Sometimes certmonger takes time to update the cert status
++        # So check in nssdb instead of relying on getcert command
++        renewed_expiry = get_cert_expiry(
++            self.replicas[0],
++            paths.PKI_TOMCAT_ALIAS_DIR,
++            'Server-Cert cert-pki-ca'
++        )
++        assert renewed_expiry > initial_expiry
+-- 
+2.31.1
+

0049-ipatests-refactor-test_ipa_cert_fix-with-tasks.patch

@@ -0,0 +1,73 @@
+From 4a3a15f45aad016730252c09e3e173a18184603e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Wed, 21 Jul 2021 14:29:31 +0200
+Subject: [PATCH] ipatests: refactor test_ipa_cert_fix with tasks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: https://pagure.io/freeipa/issue/8932
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Armando Neto <abiagion@redhat.com>
+Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_ipa_cert_fix.py | 18 ++++--------------
+ 1 file changed, 4 insertions(+), 14 deletions(-)
+
+diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
+index fa69743e2..39904d5de 100644
+--- a/ipatests/test_integration/test_ipa_cert_fix.py
++++ b/ipatests/test_integration/test_ipa_cert_fix.py
+@@ -52,16 +52,6 @@ def check_status(host, cert_count, state, timeout=600):
+     return count
+ 
+ 
+-def move_date(host, chrony_state, date_str):
+-    """Helper method to move the date on given host
+-    :param host: The host on which date is to be moved
+-    :param chrony_state: State to which chrony service to be moved
+-    :param date_str: date string to move the date i.e 2years1month1days
+-    """
+-    host.run_command(['systemctl', chrony_state, 'chronyd'])
+-    host.run_command(['date', '-s', date_str])
+-
+-
+ def needs_resubmit(host, req_id):
+     """Helper method to identify if cert request needs to be resubmitted
+     :param host: the host
+@@ -123,13 +113,13 @@ def expire_cert_critical():
+             tasks.install_kra(host)
+ 
+         # move date to expire certs
+-        move_date(host, 'stop', '+3Years+1day')
++        tasks.move_date(host, 'stop', '+3Years+1day')
+ 
+     yield _expire_cert_critical
+ 
+     host = hosts.pop('host')
+     tasks.uninstall_master(host)
+-    move_date(host, 'start', '-3Years-1day')
++    tasks.move_date(host, 'start', '-3Years-1day')
+ 
+ 
+ class TestIpaCertFix(IntegrationTest):
+@@ -143,12 +133,12 @@ class TestIpaCertFix(IntegrationTest):
+     def expire_ca_cert(self):
+         tasks.install_master(self.master, setup_dns=False,
+                              extra_args=['--no-ntp'])
+-        move_date(self.master, 'stop', '+20Years+1day')
++        tasks.move_date(self.master, 'stop', '+20Years+1day')
+ 
+         yield
+ 
+         tasks.uninstall_master(self.master)
+-        move_date(self.master, 'start', '-20Years-1day')
++        tasks.move_date(self.master, 'start', '-20Years-1day')
+ 
+     def test_missing_csr(self, expire_cert_critical):
+         """
+-- 
+2.31.1
+

0050-ipatests-use-whole-date-for-journalctl-since.patch

@@ -0,0 +1,65 @@
+From b5036b5ce9ae4fab011e57fe2b37a35fdd098a70 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Thu, 19 Aug 2021 10:51:01 +0200
+Subject: [PATCH] ipatests: use whole date for journalctl --since
+
+When a test is executed around midnight and is checking the
+journal content with --since=date, it needs to specify the
+whole date (with day and time) to avoid missing entries.
+
+If for instance --since=23:59:00 is used and the current time is
+now 00:01:00, --since=23:59:00 would refer to a date in the
+future and no journal entry will be found.
+
+Fixes: https://pagure.io/freeipa/issue/8953
+Reviewed-By: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Francois Cami <fcami@redhat.com>
+---
+ ipatests/test_integration/test_cert.py     | 2 +-
+ ipatests/test_integration/test_commands.py | 3 ++-
+ ipatests/test_integration/test_nfs.py      | 2 +-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
+index 9a90db5e2..7d51b76ee 100644
+--- a/ipatests/test_integration/test_cert.py
++++ b/ipatests/test_integration/test_cert.py
+@@ -69,7 +69,7 @@ class TestInstallMasterClient(IntegrationTest):
+ 
+         # time to look into journal logs in
+         # test_certmonger_ipa_responder_jsonrpc
+-        cls.since = time.strftime('%H:%M:%S')
++        cls.since = time.strftime('%Y-%m-%d %H:%M:%S')
+ 
+     def test_cacert_file_appear_with_option_F(self):
+         """Test if getcert creates cacert file with -F option
+diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
+index 4d9a81652..fd5d1b472 100644
+--- a/ipatests/test_integration/test_commands.py
++++ b/ipatests/test_integration/test_commands.py
+@@ -1208,7 +1208,8 @@ class TestIPACommand(IntegrationTest):
+         # start to look at logs a bit before "now"
+         # https://pagure.io/freeipa/issue/8432
+         since = time.strftime(
+-            '%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple()
++            '%Y-%m-%d %H:%M:%S',
++            (datetime.now() - timedelta(seconds=10)).timetuple()
+         )
+ 
+         password = 'WrongPassword'
+diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
+index 9a6153409..dc53a6da9 100644
+--- a/ipatests/test_integration/test_nfs.py
++++ b/ipatests/test_integration/test_nfs.py
+@@ -130,7 +130,7 @@ class TestNFS(IntegrationTest):
+         nfsclt = self.clients[1]
+ 
+         # for journalctl --since
+-        since = time.strftime('%H:%M:%S')
++        since = time.strftime('%Y-%m-%d %H:%M:%S')
+         nfsclt.run_command(["systemctl", "restart", "rpc-gssd"])
+         time.sleep(WAIT_AFTER_INSTALL)
+         mountpoints = ("/mnt/krb", "/mnt/std", "/home")
+-- 
+2.31.1
+

freeipa.spec

@@ -196,7 +196,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        5%{?rc_version:.%rc_version}%{?dist}
+Release:        6%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -259,7 +259,13 @@ Patch0040:      0040-ipatests-use-krb5_trace-in-TestIpaAdTrustInstall.patch
 Patch0041:      0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch
 Patch0042:      0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch
 Patch0043:      0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch
-
+Patch0044:      0044-ipatests-Test-unsecure-nsupdate.patch
+Patch0045:      0045-ipatests-Fix-TestAJPSecretUpgrade-tests-on-systems-w.patch
+Patch0046:      0046-ipatests-test_ipahealthcheck-Verify-permissions-for-.patch
+Patch0047:      0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch
+Patch0048:      0048-ipatests-wait-while-http-ldap-pkinit-cert-get-renew-.patch
+Patch0049:      0049-ipatests-refactor-test_ipa_cert_fix-with-tasks.patch
+Patch0050:      0050-ipatests-use-whole-date-for-journalctl-since.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -1746,6 +1752,15 @@ fi
 %endif
 
 %changelog
+* Thu Aug 26 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-6
+- Resolves: rhbz#1998098 - Backport latest test fixes in python3-ipatests
+  - ipatests: Test unsecure nsupdate.
+  - ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser
+  - ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files
+  - ipatests: test to renew certs on replica using ipa-cert-fix
+  - ipatests: wait while http/ldap/pkinit cert get renew on replica
+  - ipatests: refactor test_ipa_cert_fix with tasks
+  - ipatests: use whole date for journalctl --since
 * Tue Aug 17 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-5
 - Resolves: rhbz#1988383 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided 
   - ipa-getkeytab: add option to discover servers using DNS SRV