diff --git a/0044-ipatests-Test-unsecure-nsupdate.patch b/0044-ipatests-Test-unsecure-nsupdate.patch new file mode 100644 index 0000000..a223c94 --- /dev/null +++ b/0044-ipatests-Test-unsecure-nsupdate.patch @@ -0,0 +1,162 @@ +From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Mon, 9 Aug 2021 20:57:22 +0530 +Subject: [PATCH] ipatests: Test unsecure nsupdate. + +The test configures an external bind server on the ipa-server +(not the IPA-embedded DNS server) that allows unauthenticated nsupdates. + +When the IPA client is registered using ipa-client-install, +DNS records are added for the client in the bind server using nsupdate. +The first try is using GSS-TIG but fails as expected, and the client +installer then tries with unauthenticated nsupdate. + +Related : https://pagure.io/freeipa/issue/8402 + +Signed-off-by: Anuja More +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + .../test_installation_client.py | 118 ++++++++++++++++++ + 1 file changed, 118 insertions(+) + +diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py +index fa59a5255..014b0f6ab 100644 +--- a/ipatests/test_integration/test_installation_client.py ++++ b/ipatests/test_integration/test_installation_client.py +@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install. + + from __future__ import absolute_import + ++import pytest ++import re + import shlex ++import textwrap + ++from ipaplatform.paths import paths + from ipatests.test_integration.base import IntegrationTest + from ipatests.pytest_ipa.integration import tasks ++from ipatests.pytest_ipa.integration.firewall import Firewall + + + class TestInstallClient(IntegrationTest): +@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest): + extra_args=['--ssh-trust-dns']) + result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config']) + assert 'HostKeyAlgorithms' not in result.stdout_text ++ ++ ++class TestClientInstallBind(IntegrationTest): ++ """ ++ The test configures an external bind server on the ipa-server ++ (not the IPA-embedded DNS server) that allows unauthenticated nsupdates. ++ When the IPA client is registered using ipa-client-install, ++ DNS records are added for the client in the bind server using nsupdate. ++ The first try is using GSS-TIG but fails as expected, and the client ++ installer then tries with unauthenticated nsupdate. ++ """ ++ ++ num_clients = 1 ++ ++ @classmethod ++ def install(cls, mh): ++ cls.client = cls.clients[0] ++ ++ @pytest.fixture ++ def setup_bindserver(self): ++ bindserver = self.master ++ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF) ++ # create a zone in the BIND server that is identical to the IPA ++ add_zone = textwrap.dedent(""" ++ zone "{domain}" IN {{ type master; ++ file "{domain}.db"; allow-query {{ any; }}; ++ allow-update {{ any; }}; }}; ++ """).format(domain=bindserver.domain.name) ++ ++ namedcfg = bindserver.get_file_contents( ++ paths.NAMED_CONF, encoding='utf-8') ++ namedcfg += '\n' + add_zone ++ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg) ++ ++ def update_contents(path, pattern, replace): ++ contents = bindserver.get_file_contents(path, encoding='utf-8') ++ namedcfg_query = re.sub(pattern, replace, contents) ++ bindserver.put_file_contents(path, namedcfg_query) ++ ++ update_contents(paths.NAMED_CONF, 'localhost;', 'any;') ++ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };", ++ "#listen-on port 53 { 127.0.0.1; };") ++ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };", ++ "#listen-on-v6 port 53 { ::1; };") ++ ++ add_records = textwrap.dedent(""" ++ @ IN SOA {fqdn}. root.{domain}. ( ++ 1001 ;Serial ++ 3H ;Refresh ++ 15M ;Retry ++ 1W ;Expire ++ 1D ;Minimum 1D ++ ) ++ @ IN NS {fqdn}. ++ ns1 IN A {bindserverip} ++ _kerberos.{domain}. IN TXT {zoneupper} ++ {fqdn}. IN A {bindserverip} ++ ipa-ca.{domain}. IN A {bindserverip} ++ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}. ++ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}. ++ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}. ++ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}. ++ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}. ++ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}. ++ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}. ++ """).format( ++ fqdn=bindserver.hostname, ++ domain=bindserver.domain.name, ++ bindserverip=bindserver.ip, ++ zoneupper=bindserver.domain.name.upper() ++ ) ++ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name) ++ bindserver.put_file_contents(bindserverdb, add_records) ++ bindserver.run_command(['systemctl', 'start', 'named']) ++ Firewall(bindserver).enable_services(["dns"]) ++ yield ++ named_conf_backup.restore() ++ bindserver.run_command(['rm', '-rf', bindserverdb]) ++ ++ def test_client_nsupdate(self, setup_bindserver): ++ """Test secure nsupdate failed, then try unsecure nsupdate.. ++ ++ Test to verify when bind is configured with dynamic update policy, ++ and during client-install 'nsupdate -g' fails then it should run with ++ second call using unauthenticated nsupdate. ++ ++ Related : https://pagure.io/freeipa/issue/8402 ++ """ ++ # with pre-configured bind server, install ipa-server without dns. ++ tasks.install_master(self.master, setup_dns=False) ++ self.client.resolver.backup() ++ self.client.resolver.setup_resolver( ++ self.master.ip, self.master.domain.name) ++ try: ++ self.client.run_command(['ipa-client-install', '-U', ++ '--domain', self.client.domain.name, ++ '--realm', self.client.domain.realm, ++ '-p', self.client.config.admin_name, ++ '-w', self.client.config.admin_password, ++ '--server', self.master.hostname]) ++ # call unauthenticated nsupdate if GSS-TSIG nsupdate failed. ++ str1 = "nsupdate (GSS-TSIG) failed" ++ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'" ++ client_log = self.client.get_file_contents( ++ paths.IPACLIENT_INSTALL_LOG, encoding='utf-8' ++ ) ++ assert str1 in client_log and str2 in client_log ++ dig_after = self.client.run_command( ++ ['dig', '@{0}'.format(self.master.ip), self.client.hostname, ++ '-t', 'SSHFP']) ++ assert "ANSWER: 0" not in dig_after.stdout_text.strip() ++ finally: ++ self.client.resolver.restore() +-- +2.31.1 + diff --git a/0045-ipatests-Fix-TestAJPSecretUpgrade-tests-on-systems-w.patch b/0045-ipatests-Fix-TestAJPSecretUpgrade-tests-on-systems-w.patch new file mode 100644 index 0000000..5e978b4 --- /dev/null +++ b/0045-ipatests-Fix-TestAJPSecretUpgrade-tests-on-systems-w.patch @@ -0,0 +1,88 @@ +From c9bc471e063f2865d6423e4f1c9b81e73a45e43f Mon Sep 17 00:00:00 2001 +From: Stanislav Levin +Date: Wed, 4 Aug 2021 18:38:16 +0300 +Subject: [PATCH] ipatests: Fix TestAJPSecretUpgrade tests on systems without + pkiuser + +Tests in `test_ipaserver.test_secure_ajp_connector' assume that there +is pkiuser in OS, but this is not always true (for example, in systems +having minimum installed dependencies, in particular, without pki-server +RPM package). Since the tests already use the mock and pkiuser entity is +not the subject of testing the pwd.getpwnam has been mocked. + +Fixes: https://pagure.io/freeipa/issue/8942 +Signed-off-by: Stanislav Levin +Reviewed-By: Rob Crittenden +--- + .../test_secure_ajp_connector.py | 40 ++++++++++++++++--- + 1 file changed, 34 insertions(+), 6 deletions(-) + +diff --git a/ipatests/test_ipaserver/test_secure_ajp_connector.py b/ipatests/test_ipaserver/test_secure_ajp_connector.py +index 2719dbc48..35ef7407a 100644 +--- a/ipatests/test_ipaserver/test_secure_ajp_connector.py ++++ b/ipatests/test_ipaserver/test_secure_ajp_connector.py +@@ -1,5 +1,6 @@ + # Copyright (C) 2021 FreeIPA Project Contributors - see LICENSE file + ++from collections import namedtuple + from io import BytesIO + from lxml.etree import parse as myparse # pylint: disable=no-name-in-module + import pytest +@@ -32,6 +33,32 @@ def mock_etree_parse(data): + return myparse(f) + + ++def mock_pkiuser_entity(): ++ """Return struct_passwd for mocked pkiuser""" ++ StructPasswd = namedtuple( ++ "StructPasswd", ++ [ ++ "pw_name", ++ "pw_passwd", ++ "pw_uid", ++ "pw_gid", ++ "pw_gecos", ++ "pw_dir", ++ "pw_shell", ++ ] ++ ) ++ pkiuser_entity = StructPasswd( ++ constants.PKI_USER, ++ pw_passwd="x", ++ pw_uid=-1, ++ pw_gid=-1, ++ pw_gecos="", ++ pw_dir="/dev/null", ++ pw_shell="/sbin/nologin", ++ ) ++ return pkiuser_entity ++ ++ + # Format of test_data is: + # ( + # is_newer_tomcat (boolean), +@@ -148,14 +175,15 @@ test_data = ( + + + class TestAJPSecretUpgrade: +- @patch('os.chown') +- @patch('lxml.etree.parse') +- @pytest.mark.parametrize('is_newer, data, secret, expect, rewrite', +- test_data) +- def test_connecter(self, mock_parse, mock_chown, is_newer, data, secret, +- expect, rewrite): ++ @patch("ipaplatform.base.constants.pwd.getpwnam") ++ @patch("ipaplatform.base.constants.os.chown") ++ @patch("ipaserver.install.dogtaginstance.lxml.etree.parse") ++ @pytest.mark.parametrize("test_data", test_data) ++ def test_connecter(self, mock_parse, mock_chown, mock_getpwnam, test_data): ++ is_newer, data, secret, expect, rewrite = test_data + mock_chown.return_value = None + mock_parse.return_value = mock_etree_parse(data) ++ mock_getpwnam.return_value = mock_pkiuser_entity() + + dogtag = MyDogtagInstance(is_newer) + with patch('ipaserver.install.dogtaginstance.open', mock_open()) \ +-- +2.31.1 + diff --git a/0046-ipatests-test_ipahealthcheck-Verify-permissions-for-.patch b/0046-ipatests-test_ipahealthcheck-Verify-permissions-for-.patch new file mode 100644 index 0000000..23d092b --- /dev/null +++ b/0046-ipatests-test_ipahealthcheck-Verify-permissions-for-.patch @@ -0,0 +1,54 @@ +From 488ac7e3ba9f36d6b187687d120920d2d80d8b7f Mon Sep 17 00:00:00 2001 +From: Michal Polovka +Date: Tue, 10 Aug 2021 18:11:05 +0200 +Subject: [PATCH] ipatests: test_ipahealthcheck: Verify permissions for + /var/log/ files + +Test if files in /var/log are being checked with ipahealthcheck.ipa.files source. + +Resolves: https://pagure.io/freeipa/issue/8949 + +Signed-off-by: Michal Polovka +Reviewed-By: Michal Polovka +Reviewed-By: Florence Blanc-Renaud +--- + .../test_integration/test_ipahealthcheck.py | 23 +++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index 36fe72be7..089793a2f 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -1227,6 +1227,29 @@ class TestIpaHealthCheck(IntegrationTest): + ) + assert msg in cmd.stdout_text + ++ def test_ipahealthcheck_verify_perms_for_source_files(self, ++ modify_permissions): ++ """ ++ This tests checks if files in /var/log are checked with ipa.files ++ source. ++ The test modifies permissions of ipainstall log file and checks the ++ response from healthcheck. ++ ++ https://pagure.io/freeipa/issue/8949 ++ """ ++ modify_permissions(self.master, path=paths.IPASERVER_INSTALL_LOG, ++ mode="0644") ++ returncode, data = run_healthcheck( ++ self.master, "ipahealthcheck.ipa.files", failures_only=True) ++ ++ assert returncode == 1 ++ assert len(data) == 1 ++ assert data[0]["result"] == "WARNING" ++ assert data[0]["kw"]["path"] == paths.IPASERVER_INSTALL_LOG ++ assert data[0]["kw"]["type"] == "mode" ++ assert data[0]["kw"]["expected"] == "0600" ++ ++ + @pytest.fixture + def remove_healthcheck(self): + """ +-- +2.31.1 + diff --git a/0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch b/0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch new file mode 100644 index 0000000..843f0a7 --- /dev/null +++ b/0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch @@ -0,0 +1,127 @@ +From e0aef5296b66c0b460f7e10993610fe68b312241 Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Mon, 19 Apr 2021 12:08:28 +0530 +Subject: [PATCH] ipatests: test to renew certs on replica using ipa-cert-fix + +This test checks if ipa-cert-fix renews the certs on replica +after cert renewal on master. + +related: https://pagure.io/freeipa/issue/7885 + +ipatests: refactor expire_cert_critical fixture + +Defined method to move the date and refactor +expire_cert_critical fixture using it + +ipatests: PEP8 fixes + +Signed-off-by: Mohammad Rizwan +Reviewed-By: Florence Blanc-Renaud +--- + .../test_integration/test_ipa_cert_fix.py | 74 ++++++++++++++++++- + 1 file changed, 70 insertions(+), 4 deletions(-) + +diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py +index f3cf59afc..a20996737 100644 +--- a/ipatests/test_integration/test_ipa_cert_fix.py ++++ b/ipatests/test_integration/test_ipa_cert_fix.py +@@ -6,6 +6,7 @@ + Module provides tests for ipa-cert-fix CLI. + """ + import pytest ++import re + import time + + import logging +@@ -74,15 +75,15 @@ def expire_cert_critical(): + extra_args=['--no-ntp']) + if setup_kra: + tasks.install_kra(host) +- host.run_command(['systemctl', 'stop', 'chronyd']) +- host.run_command(['date', '-s', '+3Years+1day']) ++ ++ # move date to expire certs ++ move_date(host, 'stop', '+3Years+1day') + + yield _expire_cert_critical + + host = hosts.pop('host') + tasks.uninstall_master(host) +- host.run_command(['date', '-s', '-3Years-1day']) +- host.run_command(['systemctl', 'start', 'chronyd']) ++ move_date(host, 'start', '-3Years-1day') + + + class TestIpaCertFix(IntegrationTest): +@@ -336,3 +337,68 @@ class TestCertFixKRA(IntegrationTest): + self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n') + + check_status(self.master, 12, "MONITORING") ++ ++ ++class TestCertFixReplica(IntegrationTest): ++ ++ num_replicas = 1 ++ ++ @classmethod ++ def install(cls, mh): ++ tasks.install_master( ++ mh.master, setup_dns=False, extra_args=['--no-ntp'] ++ ) ++ tasks.install_replica( ++ mh.master, mh.replicas[0], ++ setup_dns=False, extra_args=['--no-ntp'] ++ ) ++ ++ def test_renew_expired_cert_replica(self): ++ """Test renewal of certificates on replica with ipa-cert-fix ++ ++ This is to check that ipa-cert-fix renews the certificates ++ on replica ++ ++ related: https://pagure.io/freeipa/issue/7885 ++ """ ++ move_date(self.master, 'stop', '+3years+1days') ++ ++ # wait for cert expiry ++ check_status(self.master, 8, "CA_UNREACHABLE") ++ ++ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n') ++ ++ check_status(self.master, 9, "MONITORING") ++ ++ # move system date to expire cert on replica ++ move_date(self.replicas[0], 'stop', '+3years+1days') ++ ++ # RA agent cert will be expired and in CA_UNREACHABLE state ++ check_status(self.replicas[0], 1, "CA_UNREACHABLE") ++ ++ # renew RA agent cert ++ self.replicas[0].run_command( ++ ['ipa-cert-fix', '-v'], stdin_text='yes\n' ++ ) ++ ++ # LDAP/HTTP/PKINIT certs will be renewed automaticaly ++ # after moving date on replica. This 3, 1 CA cert, ++ # 1 RA agent cert. Check for total 5 valid certs. ++ check_status(self.replicas[0], 5, "MONITORING") ++ ++ # get the req ids of all certs to renew remaining ++ # certs by re-submitting it ++ result = self.replicas[0].run_command(['getcert', 'list']) ++ req_ids = re.findall(r'\d{14}', result.stdout_text) ++ ++ # resubmit the certs to renew them ++ for req_id in req_ids: ++ self.replicas[0].run_command( ++ ['getcert', 'resubmit', '-i', req_id] ++ ) ++ ++ check_status(self.master, 9, "MONITORING") ++ ++ # move date back on replica and master ++ move_date(self.replicas[0], 'start', '-3years-1days') ++ move_date(self.master, 'start', '-3years-1days') +-- +2.31.1 + diff --git a/0048-ipatests-wait-while-http-ldap-pkinit-cert-get-renew-.patch b/0048-ipatests-wait-while-http-ldap-pkinit-cert-get-renew-.patch new file mode 100644 index 0000000..910d4c8 --- /dev/null +++ b/0048-ipatests-wait-while-http-ldap-pkinit-cert-get-renew-.patch @@ -0,0 +1,252 @@ +From a620e5e9e152defe144705913521c3cf556faa0e Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Mon, 26 Apr 2021 15:50:20 +0530 +Subject: [PATCH] ipatests: wait while http/ldap/pkinit cert get renew on + replica + +LDAP/HTTP/PKINIT certificates should be renewd on replica after +moving system date. Test was failing because ipa-cert-fix ran +while these cert was not renewd and it tried to fix it. + +This test adds check for replication before calling ipa-cert-fix +on replica. + +Fixes: https://pagure.io/freeipa/issue/8815 + +Signed-off-by: Mohammad Rizwan +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Sergey Orlov +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + .../test_integration/test_ipa_cert_fix.py | 172 +++++++++++++++--- + 1 file changed, 144 insertions(+), 28 deletions(-) + +diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py +index a20996737..fa69743e2 100644 +--- a/ipatests/test_integration/test_ipa_cert_fix.py ++++ b/ipatests/test_integration/test_ipa_cert_fix.py +@@ -5,16 +5,19 @@ + """ + Module provides tests for ipa-cert-fix CLI. + """ ++from cryptography.hazmat.backends import default_backend ++from cryptography import x509 ++from datetime import datetime, date + import pytest +-import re + import time + + import logging + from ipaplatform.paths import paths ++from ipapython.ipaldap import realm_to_serverid + from ipatests.pytest_ipa.integration import tasks + from ipatests.test_integration.base import IntegrationTest + from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup +- ++from ipatests.test_integration.test_cert import get_certmonger_fs_id + + logger = logging.getLogger(__name__) + +@@ -59,6 +62,49 @@ def move_date(host, chrony_state, date_str): + host.run_command(['date', '-s', date_str]) + + ++def needs_resubmit(host, req_id): ++ """Helper method to identify if cert request needs to be resubmitted ++ :param host: the host ++ :param req_id: request id to perform operation for ++ ++ Returns True if resubmit needed else False ++ """ ++ # check if cert is in monitoring state ++ tasks.wait_for_certmonger_status( ++ host, ('MONITORING'), req_id, timeout=600 ++ ) ++ ++ # check if cert is valid and not expired ++ cmd = host.run_command( ++ 'getcert list -i {} | grep expires'.format(req_id) ++ ) ++ cert_expiry = cmd.stdout_text.split(' ') ++ cert_expiry = datetime.strptime(cert_expiry[1], '%Y-%m-%d').date() ++ if cert_expiry > date.today(): ++ return False ++ else: ++ return True ++ ++ ++def get_cert_expiry(host, nssdb_path, cert_nick): ++ """Method to get cert expiry date of given certificate ++ ++ :param host: the host ++ :param nssdb_path: nssdb path of certificate ++ :param cert_nick: certificate nick name for extracting cert from nssdb ++ """ ++ # get initial expiry date to compare later with renewed cert ++ host.run_command([ ++ 'certutil', '-L', '-a', ++ '-d', nssdb_path, ++ '-n', cert_nick, ++ '-o', '/root/cert.pem' ++ ]) ++ data = host.get_file_contents('/root/cert.pem') ++ cert = x509.load_pem_x509_certificate(data, backend=default_backend()) ++ return cert.not_valid_after ++ ++ + @pytest.fixture + def expire_cert_critical(): + """ +@@ -353,7 +399,19 @@ class TestCertFixReplica(IntegrationTest): + setup_dns=False, extra_args=['--no-ntp'] + ) + +- def test_renew_expired_cert_replica(self): ++ @pytest.fixture ++ def expire_certs(self): ++ # move system date to expire certs ++ for host in self.master, self.replicas[0]: ++ tasks.move_date(host, 'stop', '+3years+1days') ++ ++ yield ++ ++ # move date back on replica and master ++ for host in self.master, self.replicas[0]: ++ tasks.move_date(host, 'start', '-3years-1days') ++ ++ def test_renew_expired_cert_replica(self, expire_certs): + """Test renewal of certificates on replica with ipa-cert-fix + + This is to check that ipa-cert-fix renews the certificates +@@ -361,8 +419,6 @@ class TestCertFixReplica(IntegrationTest): + + related: https://pagure.io/freeipa/issue/7885 + """ +- move_date(self.master, 'stop', '+3years+1days') +- + # wait for cert expiry + check_status(self.master, 8, "CA_UNREACHABLE") + +@@ -370,35 +426,95 @@ class TestCertFixReplica(IntegrationTest): + + check_status(self.master, 9, "MONITORING") + +- # move system date to expire cert on replica +- move_date(self.replicas[0], 'stop', '+3years+1days') +- +- # RA agent cert will be expired and in CA_UNREACHABLE state +- check_status(self.replicas[0], 1, "CA_UNREACHABLE") +- +- # renew RA agent cert +- self.replicas[0].run_command( +- ['ipa-cert-fix', '-v'], stdin_text='yes\n' ++ # replica operations ++ # 'Server-Cert cert-pki-ca' cert will be in CA_UNREACHABLE state ++ cmd = self.replicas[0].run_command( ++ ['getcert', 'list', ++ '-d', paths.PKI_TOMCAT_ALIAS_DIR, ++ '-n', 'Server-Cert cert-pki-ca'] ++ ) ++ req_id = get_certmonger_fs_id(cmd.stdout_text) ++ tasks.wait_for_certmonger_status( ++ self.replicas[0], ('CA_UNREACHABLE'), req_id, timeout=600 ++ ) ++ # get initial expiry date to compare later with renewed cert ++ initial_expiry = get_cert_expiry( ++ self.replicas[0], ++ paths.PKI_TOMCAT_ALIAS_DIR, ++ 'Server-Cert cert-pki-ca' + ) + +- # LDAP/HTTP/PKINIT certs will be renewed automaticaly +- # after moving date on replica. This 3, 1 CA cert, +- # 1 RA agent cert. Check for total 5 valid certs. +- check_status(self.replicas[0], 5, "MONITORING") ++ # check that HTTP,LDAP,PKINIT are renewed and in MONITORING state ++ instance = realm_to_serverid(self.master.domain.realm) ++ dirsrv_cert = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance ++ for cert in (paths.KDC_CERT, paths.HTTPD_CERT_FILE): ++ cmd = self.replicas[0].run_command( ++ ['getcert', 'list', '-f', cert] ++ ) ++ req_id = get_certmonger_fs_id(cmd.stdout_text) ++ tasks.wait_for_certmonger_status( ++ self.replicas[0], ('MONITORING'), req_id, timeout=600 ++ ) + +- # get the req ids of all certs to renew remaining +- # certs by re-submitting it +- result = self.replicas[0].run_command(['getcert', 'list']) +- req_ids = re.findall(r'\d{14}', result.stdout_text) ++ cmd = self.replicas[0].run_command( ++ ['getcert', 'list', '-d', dirsrv_cert] ++ ) ++ req_id = get_certmonger_fs_id(cmd.stdout_text) ++ tasks.wait_for_certmonger_status( ++ self.replicas[0], ('MONITORING'), req_id, timeout=600 ++ ) + +- # resubmit the certs to renew them +- for req_id in req_ids: ++ # check if replication working fine ++ testuser = 'testuser1' ++ password = 'Secret@123' ++ stdin = (f"{self.master.config.admin_password}\n" ++ f"{self.master.config.admin_password}\n" ++ f"{self.master.config.admin_password}\n") ++ self.master.run_command(['kinit', 'admin'], stdin_text=stdin) ++ tasks.user_add(self.master, testuser, password=password) ++ self.replicas[0].run_command(['kinit', 'admin'], stdin_text=stdin) ++ self.replicas[0].run_command(['ipa', 'user-show', testuser]) ++ ++ # renew shared certificates by resubmitting to certmonger ++ cmd = self.replicas[0].run_command( ++ ['getcert', 'list', '-f', paths.RA_AGENT_PEM] ++ ) ++ req_id = get_certmonger_fs_id(cmd.stdout_text) ++ if needs_resubmit(self.replicas[0], req_id): + self.replicas[0].run_command( + ['getcert', 'resubmit', '-i', req_id] + ) ++ tasks.wait_for_certmonger_status( ++ self.replicas[0], ('MONITORING'), req_id, timeout=600 ++ ) ++ for cert_nick in ('auditSigningCert cert-pki-ca', ++ 'ocspSigningCert cert-pki-ca', ++ 'subsystemCert cert-pki-ca'): ++ cmd = self.replicas[0].run_command( ++ ['getcert', 'list', ++ '-d', paths.PKI_TOMCAT_ALIAS_DIR, ++ '-n', cert_nick] ++ ) ++ req_id = get_certmonger_fs_id(cmd.stdout_text) ++ if needs_resubmit(self.replicas[0], req_id): ++ self.replicas[0].run_command( ++ ['getcert', 'resubmit', '-i', req_id] ++ ) ++ tasks.wait_for_certmonger_status( ++ self.replicas[0], ('MONITORING'), req_id, timeout=600 ++ ) + +- check_status(self.master, 9, "MONITORING") ++ self.replicas[0].run_command( ++ ['ipa-cert-fix', '-v'], stdin_text='yes\n' ++ ) + +- # move date back on replica and master +- move_date(self.replicas[0], 'start', '-3years-1days') +- move_date(self.master, 'start', '-3years-1days') ++ check_status(self.replicas[0], 9, "MONITORING") ++ ++ # Sometimes certmonger takes time to update the cert status ++ # So check in nssdb instead of relying on getcert command ++ renewed_expiry = get_cert_expiry( ++ self.replicas[0], ++ paths.PKI_TOMCAT_ALIAS_DIR, ++ 'Server-Cert cert-pki-ca' ++ ) ++ assert renewed_expiry > initial_expiry +-- +2.31.1 + diff --git a/0049-ipatests-refactor-test_ipa_cert_fix-with-tasks.patch b/0049-ipatests-refactor-test_ipa_cert_fix-with-tasks.patch new file mode 100644 index 0000000..2566b9f --- /dev/null +++ b/0049-ipatests-refactor-test_ipa_cert_fix-with-tasks.patch @@ -0,0 +1,73 @@ +From 4a3a15f45aad016730252c09e3e173a18184603e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Wed, 21 Jul 2021 14:29:31 +0200 +Subject: [PATCH] ipatests: refactor test_ipa_cert_fix with tasks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: https://pagure.io/freeipa/issue/8932 +Signed-off-by: François Cami +Reviewed-By: Michal Polovka +Reviewed-By: Armando Neto +Reviewed-By: Mohammad Rizwan +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_ipa_cert_fix.py | 18 ++++-------------- + 1 file changed, 4 insertions(+), 14 deletions(-) + +diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py +index fa69743e2..39904d5de 100644 +--- a/ipatests/test_integration/test_ipa_cert_fix.py ++++ b/ipatests/test_integration/test_ipa_cert_fix.py +@@ -52,16 +52,6 @@ def check_status(host, cert_count, state, timeout=600): + return count + + +-def move_date(host, chrony_state, date_str): +- """Helper method to move the date on given host +- :param host: The host on which date is to be moved +- :param chrony_state: State to which chrony service to be moved +- :param date_str: date string to move the date i.e 2years1month1days +- """ +- host.run_command(['systemctl', chrony_state, 'chronyd']) +- host.run_command(['date', '-s', date_str]) +- +- + def needs_resubmit(host, req_id): + """Helper method to identify if cert request needs to be resubmitted + :param host: the host +@@ -123,13 +113,13 @@ def expire_cert_critical(): + tasks.install_kra(host) + + # move date to expire certs +- move_date(host, 'stop', '+3Years+1day') ++ tasks.move_date(host, 'stop', '+3Years+1day') + + yield _expire_cert_critical + + host = hosts.pop('host') + tasks.uninstall_master(host) +- move_date(host, 'start', '-3Years-1day') ++ tasks.move_date(host, 'start', '-3Years-1day') + + + class TestIpaCertFix(IntegrationTest): +@@ -143,12 +133,12 @@ class TestIpaCertFix(IntegrationTest): + def expire_ca_cert(self): + tasks.install_master(self.master, setup_dns=False, + extra_args=['--no-ntp']) +- move_date(self.master, 'stop', '+20Years+1day') ++ tasks.move_date(self.master, 'stop', '+20Years+1day') + + yield + + tasks.uninstall_master(self.master) +- move_date(self.master, 'start', '-20Years-1day') ++ tasks.move_date(self.master, 'start', '-20Years-1day') + + def test_missing_csr(self, expire_cert_critical): + """ +-- +2.31.1 + diff --git a/0050-ipatests-use-whole-date-for-journalctl-since.patch b/0050-ipatests-use-whole-date-for-journalctl-since.patch new file mode 100644 index 0000000..97b9650 --- /dev/null +++ b/0050-ipatests-use-whole-date-for-journalctl-since.patch @@ -0,0 +1,65 @@ +From b5036b5ce9ae4fab011e57fe2b37a35fdd098a70 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 19 Aug 2021 10:51:01 +0200 +Subject: [PATCH] ipatests: use whole date for journalctl --since + +When a test is executed around midnight and is checking the +journal content with --since=date, it needs to specify the +whole date (with day and time) to avoid missing entries. + +If for instance --since=23:59:00 is used and the current time is +now 00:01:00, --since=23:59:00 would refer to a date in the +future and no journal entry will be found. + +Fixes: https://pagure.io/freeipa/issue/8953 +Reviewed-By: Stanislav Levin +Reviewed-By: Francois Cami +--- + ipatests/test_integration/test_cert.py | 2 +- + ipatests/test_integration/test_commands.py | 3 ++- + ipatests/test_integration/test_nfs.py | 2 +- + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py +index 9a90db5e2..7d51b76ee 100644 +--- a/ipatests/test_integration/test_cert.py ++++ b/ipatests/test_integration/test_cert.py +@@ -69,7 +69,7 @@ class TestInstallMasterClient(IntegrationTest): + + # time to look into journal logs in + # test_certmonger_ipa_responder_jsonrpc +- cls.since = time.strftime('%H:%M:%S') ++ cls.since = time.strftime('%Y-%m-%d %H:%M:%S') + + def test_cacert_file_appear_with_option_F(self): + """Test if getcert creates cacert file with -F option +diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py +index 4d9a81652..fd5d1b472 100644 +--- a/ipatests/test_integration/test_commands.py ++++ b/ipatests/test_integration/test_commands.py +@@ -1208,7 +1208,8 @@ class TestIPACommand(IntegrationTest): + # start to look at logs a bit before "now" + # https://pagure.io/freeipa/issue/8432 + since = time.strftime( +- '%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple() ++ '%Y-%m-%d %H:%M:%S', ++ (datetime.now() - timedelta(seconds=10)).timetuple() + ) + + password = 'WrongPassword' +diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py +index 9a6153409..dc53a6da9 100644 +--- a/ipatests/test_integration/test_nfs.py ++++ b/ipatests/test_integration/test_nfs.py +@@ -130,7 +130,7 @@ class TestNFS(IntegrationTest): + nfsclt = self.clients[1] + + # for journalctl --since +- since = time.strftime('%H:%M:%S') ++ since = time.strftime('%Y-%m-%d %H:%M:%S') + nfsclt.run_command(["systemctl", "restart", "rpc-gssd"]) + time.sleep(WAIT_AFTER_INSTALL) + mountpoints = ("/mnt/krb", "/mnt/std", "/home") +-- +2.31.1 + diff --git a/freeipa.spec b/freeipa.spec index 6e02ce1..4f1ec27 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -196,7 +196,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 5%{?rc_version:.%rc_version}%{?dist} +Release: 6%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -259,7 +259,13 @@ Patch0040: 0040-ipatests-use-krb5_trace-in-TestIpaAdTrustInstall.patch Patch0041: 0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch Patch0042: 0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch Patch0043: 0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch - +Patch0044: 0044-ipatests-Test-unsecure-nsupdate.patch +Patch0045: 0045-ipatests-Fix-TestAJPSecretUpgrade-tests-on-systems-w.patch +Patch0046: 0046-ipatests-test_ipahealthcheck-Verify-permissions-for-.patch +Patch0047: 0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch +Patch0048: 0048-ipatests-wait-while-http-ldap-pkinit-cert-get-renew-.patch +Patch0049: 0049-ipatests-refactor-test_ipa_cert_fix-with-tasks.patch +Patch0050: 0050-ipatests-use-whole-date-for-journalctl-since.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1746,6 +1752,15 @@ fi %endif %changelog +* Thu Aug 26 2021 Florence Blanc-Renaud - 4.9.6-6 +- Resolves: rhbz#1998098 - Backport latest test fixes in python3-ipatests + - ipatests: Test unsecure nsupdate. + - ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser + - ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files + - ipatests: test to renew certs on replica using ipa-cert-fix + - ipatests: wait while http/ldap/pkinit cert get renew on replica + - ipatests: refactor test_ipa_cert_fix with tasks + - ipatests: use whole date for journalctl --since * Tue Aug 17 2021 Florence Blanc-Renaud - 4.9.6-5 - Resolves: rhbz#1988383 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided - ipa-getkeytab: add option to discover servers using DNS SRV