rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.9.6-6

Browse Source 
- Resolves: rhbz#1998098 - Backport latest test fixes in python3-ipatests
This commit is contained in:
Florence Blanc-Renaud 2021-08-26 15:51:00 +02:00
parent 6ff3da92fc
commit 992ffe6b89
8 changed files with 838 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

162
0044-ipatests-Test-unsecure-nsupdate.patch Normal file
View File

@ -0,0 +1,162 @@
From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Mon, 9 Aug 2021 20:57:22 +0530
Subject: [PATCH] ipatests: Test unsecure nsupdate.
The test configures an external bind server on the ipa-server
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
When the IPA client is registered using ipa-client-install,
DNS records are added for the client in the bind server using nsupdate.
The first try is using GSS-TIG but fails as expected, and the client
installer then tries with unauthenticated nsupdate.
Related : https://pagure.io/freeipa/issue/8402
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../test_installation_client.py | 118 ++++++++++++++++++
1 file changed, 118 insertions(+)
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
index fa59a5255..014b0f6ab 100644
--- a/ipatests/test_integration/test_installation_client.py
+++ b/ipatests/test_integration/test_installation_client.py
@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install.
from __future__ import absolute_import
+import pytest
+import re
import shlex
+import textwrap
+from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
+from ipatests.pytest_ipa.integration.firewall import Firewall
class TestInstallClient(IntegrationTest):
@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest):
extra_args=['--ssh-trust-dns'])
result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
assert 'HostKeyAlgorithms' not in result.stdout_text
+
+
+class TestClientInstallBind(IntegrationTest):
+ """
+ The test configures an external bind server on the ipa-server
+ (not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
+ When the IPA client is registered using ipa-client-install,
+ DNS records are added for the client in the bind server using nsupdate.
+ The first try is using GSS-TIG but fails as expected, and the client
+ installer then tries with unauthenticated nsupdate.
+ """
+
+ num_clients = 1
+
+ @classmethod
+ def install(cls, mh):
+ cls.client = cls.clients[0]
+
+ @pytest.fixture
+ def setup_bindserver(self):
+ bindserver = self.master
+ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF)
+ # create a zone in the BIND server that is identical to the IPA
+ add_zone = textwrap.dedent("""
+ zone "{domain}" IN {{ type master;
+ file "{domain}.db"; allow-query {{ any; }};
+ allow-update {{ any; }}; }};
+ """).format(domain=bindserver.domain.name)
+
+ namedcfg = bindserver.get_file_contents(
+ paths.NAMED_CONF, encoding='utf-8')
+ namedcfg += '\n' + add_zone
+ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg)
+
+ def update_contents(path, pattern, replace):
+ contents = bindserver.get_file_contents(path, encoding='utf-8')
+ namedcfg_query = re.sub(pattern, replace, contents)
+ bindserver.put_file_contents(path, namedcfg_query)
+
+ update_contents(paths.NAMED_CONF, 'localhost;', 'any;')
+ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };",
+ "#listen-on port 53 { 127.0.0.1; };")
+ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };",
+ "#listen-on-v6 port 53 { ::1; };")
+
+ add_records = textwrap.dedent("""
+ @ IN SOA {fqdn}. root.{domain}. (
+ 1001 ;Serial
+ 3H ;Refresh
+ 15M ;Retry
+ 1W ;Expire
+ 1D ;Minimum 1D
+ )
+ @ IN NS {fqdn}.
+ ns1 IN A {bindserverip}
+ _kerberos.{domain}. IN TXT {zoneupper}
+ {fqdn}. IN A {bindserverip}
+ ipa-ca.{domain}. IN A {bindserverip}
+ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}.
+ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}.
+ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}.
+ """).format(
+ fqdn=bindserver.hostname,
+ domain=bindserver.domain.name,
+ bindserverip=bindserver.ip,
+ zoneupper=bindserver.domain.name.upper()
+ )
+ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name)
+ bindserver.put_file_contents(bindserverdb, add_records)
+ bindserver.run_command(['systemctl', 'start', 'named'])
+ Firewall(bindserver).enable_services(["dns"])
+ yield
+ named_conf_backup.restore()
+ bindserver.run_command(['rm', '-rf', bindserverdb])
+
+ def test_client_nsupdate(self, setup_bindserver):
+ """Test secure nsupdate failed, then try unsecure nsupdate..
+
+ Test to verify when bind is configured with dynamic update policy,
+ and during client-install 'nsupdate -g' fails then it should run with
+ second call using unauthenticated nsupdate.
+
+ Related : https://pagure.io/freeipa/issue/8402
+ """
+ # with pre-configured bind server, install ipa-server without dns.
+ tasks.install_master(self.master, setup_dns=False)
+ self.client.resolver.backup()
+ self.client.resolver.setup_resolver(
+ self.master.ip, self.master.domain.name)
+ try:
+ self.client.run_command(['ipa-client-install', '-U',
+ '--domain', self.client.domain.name,
+ '--realm', self.client.domain.realm,
+ '-p', self.client.config.admin_name,
+ '-w', self.client.config.admin_password,
+ '--server', self.master.hostname])
+ # call unauthenticated nsupdate if GSS-TSIG nsupdate failed.
+ str1 = "nsupdate (GSS-TSIG) failed"
+ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'"
+ client_log = self.client.get_file_contents(
+ paths.IPACLIENT_INSTALL_LOG, encoding='utf-8'
+ )
+ assert str1 in client_log and str2 in client_log
+ dig_after = self.client.run_command(
+ ['dig', '@{0}'.format(self.master.ip), self.client.hostname,
+ '-t', 'SSHFP'])
+ assert "ANSWER: 0" not in dig_after.stdout_text.strip()
+ finally:
+ self.client.resolver.restore()
--
2.31.1

88
0045-ipatests-Fix-TestAJPSecretUpgrade-tests-on-systems-w.patch Normal file
View File

@ -0,0 +1,88 @@
From c9bc471e063f2865d6423e4f1c9b81e73a45e43f Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Wed, 4 Aug 2021 18:38:16 +0300
Subject: [PATCH] ipatests: Fix TestAJPSecretUpgrade tests on systems without
pkiuser
Tests in `test_ipaserver.test_secure_ajp_connector' assume that there
is pkiuser in OS, but this is not always true (for example, in systems
having minimum installed dependencies, in particular, without pki-server
RPM package). Since the tests already use the mock and pkiuser entity is
not the subject of testing the pwd.getpwnam has been mocked.
Fixes: https://pagure.io/freeipa/issue/8942
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_secure_ajp_connector.py | 40 ++++++++++++++++---
1 file changed, 34 insertions(+), 6 deletions(-)
diff --git a/ipatests/test_ipaserver/test_secure_ajp_connector.py b/ipatests/test_ipaserver/test_secure_ajp_connector.py
index 2719dbc48..35ef7407a 100644
--- a/ipatests/test_ipaserver/test_secure_ajp_connector.py
+++ b/ipatests/test_ipaserver/test_secure_ajp_connector.py
@@ -1,5 +1,6 @@
# Copyright (C) 2021 FreeIPA Project Contributors - see LICENSE file
+from collections import namedtuple
from io import BytesIO
from lxml.etree import parse as myparse # pylint: disable=no-name-in-module
import pytest
@@ -32,6 +33,32 @@ def mock_etree_parse(data):
return myparse(f)
+def mock_pkiuser_entity():
+ """Return struct_passwd for mocked pkiuser"""
+ StructPasswd = namedtuple(
+ "StructPasswd",
+ [
+ "pw_name",
+ "pw_passwd",
+ "pw_uid",
+ "pw_gid",
+ "pw_gecos",
+ "pw_dir",
+ "pw_shell",
+ ]
+ )
+ pkiuser_entity = StructPasswd(
+ constants.PKI_USER,
+ pw_passwd="x",
+ pw_uid=-1,
+ pw_gid=-1,
+ pw_gecos="",
+ pw_dir="/dev/null",
+ pw_shell="/sbin/nologin",
+ )
+ return pkiuser_entity
+
+
# Format of test_data is:
# (
# is_newer_tomcat (boolean),
@@ -148,14 +175,15 @@ test_data = (
class TestAJPSecretUpgrade:
- @patch('os.chown')
- @patch('lxml.etree.parse')
- @pytest.mark.parametrize('is_newer, data, secret, expect, rewrite',
- test_data)
- def test_connecter(self, mock_parse, mock_chown, is_newer, data, secret,
- expect, rewrite):
+ @patch("ipaplatform.base.constants.pwd.getpwnam")
+ @patch("ipaplatform.base.constants.os.chown")
+ @patch("ipaserver.install.dogtaginstance.lxml.etree.parse")
+ @pytest.mark.parametrize("test_data", test_data)
+ def test_connecter(self, mock_parse, mock_chown, mock_getpwnam, test_data):
+ is_newer, data, secret, expect, rewrite = test_data
mock_chown.return_value = None
mock_parse.return_value = mock_etree_parse(data)
+ mock_getpwnam.return_value = mock_pkiuser_entity()
dogtag = MyDogtagInstance(is_newer)
with patch('ipaserver.install.dogtaginstance.open', mock_open()) \
--
2.31.1

54
0046-ipatests-test_ipahealthcheck-Verify-permissions-for-.patch Normal file
View File

@ -0,0 +1,54 @@
From 488ac7e3ba9f36d6b187687d120920d2d80d8b7f Mon Sep 17 00:00:00 2001
From: Michal Polovka <mpolovka@redhat.com>
Date: Tue, 10 Aug 2021 18:11:05 +0200
Subject: [PATCH] ipatests: test_ipahealthcheck: Verify permissions for
/var/log/ files
Test if files in /var/log are being checked with ipahealthcheck.ipa.files source.
Resolves: https://pagure.io/freeipa/issue/8949
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipahealthcheck.py | 23 +++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 36fe72be7..089793a2f 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -1227,6 +1227,29 @@ class TestIpaHealthCheck(IntegrationTest):
)
assert msg in cmd.stdout_text
+ def test_ipahealthcheck_verify_perms_for_source_files(self,
+ modify_permissions):
+ """
+ This tests checks if files in /var/log are checked with ipa.files
+ source.
+ The test modifies permissions of ipainstall log file and checks the
+ response from healthcheck.
+
+ https://pagure.io/freeipa/issue/8949
+ """
+ modify_permissions(self.master, path=paths.IPASERVER_INSTALL_LOG,
+ mode="0644")
+ returncode, data = run_healthcheck(
+ self.master, "ipahealthcheck.ipa.files", failures_only=True)
+
+ assert returncode == 1
+ assert len(data) == 1
+ assert data[0]["result"] == "WARNING"
+ assert data[0]["kw"]["path"] == paths.IPASERVER_INSTALL_LOG
+ assert data[0]["kw"]["type"] == "mode"
+ assert data[0]["kw"]["expected"] == "0600"
+
+
@pytest.fixture
def remove_healthcheck(self):
"""
--
2.31.1

127
0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch Normal file
View File

@ -0,0 +1,127 @@
From e0aef5296b66c0b460f7e10993610fe68b312241 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Mon, 19 Apr 2021 12:08:28 +0530
Subject: [PATCH] ipatests: test to renew certs on replica using ipa-cert-fix
This test checks if ipa-cert-fix renews the certs on replica
after cert renewal on master.
related: https://pagure.io/freeipa/issue/7885
ipatests: refactor expire_cert_critical fixture
Defined method to move the date and refactor
expire_cert_critical fixture using it
ipatests: PEP8 fixes
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 74 ++++++++++++++++++-
1 file changed, 70 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index f3cf59afc..a20996737 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -6,6 +6,7 @@
Module provides tests for ipa-cert-fix CLI.
"""
import pytest
+import re
import time
import logging
@@ -74,15 +75,15 @@ def expire_cert_critical():
extra_args=['--no-ntp'])
if setup_kra:
tasks.install_kra(host)
- host.run_command(['systemctl', 'stop', 'chronyd'])
- host.run_command(['date', '-s', '+3Years+1day'])
+
+ # move date to expire certs
+ move_date(host, 'stop', '+3Years+1day')
yield _expire_cert_critical
host = hosts.pop('host')
tasks.uninstall_master(host)
- host.run_command(['date', '-s', '-3Years-1day'])
- host.run_command(['systemctl', 'start', 'chronyd'])
+ move_date(host, 'start', '-3Years-1day')
class TestIpaCertFix(IntegrationTest):
@@ -336,3 +337,68 @@ class TestCertFixKRA(IntegrationTest):
self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
check_status(self.master, 12, "MONITORING")
+
+
+class TestCertFixReplica(IntegrationTest):
+
+ num_replicas = 1
+
+ @classmethod
+ def install(cls, mh):
+ tasks.install_master(
+ mh.master, setup_dns=False, extra_args=['--no-ntp']
+ )
+ tasks.install_replica(
+ mh.master, mh.replicas[0],
+ setup_dns=False, extra_args=['--no-ntp']
+ )
+
+ def test_renew_expired_cert_replica(self):
+ """Test renewal of certificates on replica with ipa-cert-fix
+
+ This is to check that ipa-cert-fix renews the certificates
+ on replica
+
+ related: https://pagure.io/freeipa/issue/7885
+ """
+ move_date(self.master, 'stop', '+3years+1days')
+
+ # wait for cert expiry
+ check_status(self.master, 8, "CA_UNREACHABLE")
+
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
+
+ check_status(self.master, 9, "MONITORING")
+
+ # move system date to expire cert on replica
+ move_date(self.replicas[0], 'stop', '+3years+1days')
+
+ # RA agent cert will be expired and in CA_UNREACHABLE state
+ check_status(self.replicas[0], 1, "CA_UNREACHABLE")
+
+ # renew RA agent cert
+ self.replicas[0].run_command(
+ ['ipa-cert-fix', '-v'], stdin_text='yes\n'
+ )
+
+ # LDAP/HTTP/PKINIT certs will be renewed automaticaly
+ # after moving date on replica. This 3, 1 CA cert,
+ # 1 RA agent cert. Check for total 5 valid certs.
+ check_status(self.replicas[0], 5, "MONITORING")
+
+ # get the req ids of all certs to renew remaining
+ # certs by re-submitting it
+ result = self.replicas[0].run_command(['getcert', 'list'])
+ req_ids = re.findall(r'\d{14}', result.stdout_text)
+
+ # resubmit the certs to renew them
+ for req_id in req_ids:
+ self.replicas[0].run_command(
+ ['getcert', 'resubmit', '-i', req_id]
+ )
+
+ check_status(self.master, 9, "MONITORING")
+
+ # move date back on replica and master
+ move_date(self.replicas[0], 'start', '-3years-1days')
+ move_date(self.master, 'start', '-3years-1days')
--
2.31.1

252
0048-ipatests-wait-while-http-ldap-pkinit-cert-get-renew-.patch Normal file
View File

@ -0,0 +1,252 @@
From a620e5e9e152defe144705913521c3cf556faa0e Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Mon, 26 Apr 2021 15:50:20 +0530
Subject: [PATCH] ipatests: wait while http/ldap/pkinit cert get renew on
replica
LDAP/HTTP/PKINIT certificates should be renewd on replica after
moving system date. Test was failing because ipa-cert-fix ran
while these cert was not renewd and it tried to fix it.
This test adds check for replication before calling ipa-cert-fix
on replica.
Fixes: https://pagure.io/freeipa/issue/8815
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 172 +++++++++++++++---
1 file changed, 144 insertions(+), 28 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index a20996737..fa69743e2 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -5,16 +5,19 @@
"""
Module provides tests for ipa-cert-fix CLI.
"""
+from cryptography.hazmat.backends import default_backend
+from cryptography import x509
+from datetime import datetime, date
import pytest
-import re
import time
import logging
from ipaplatform.paths import paths
+from ipapython.ipaldap import realm_to_serverid
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
-
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
logger = logging.getLogger(__name__)
@@ -59,6 +62,49 @@ def move_date(host, chrony_state, date_str):
host.run_command(['date', '-s', date_str])
+def needs_resubmit(host, req_id):
+ """Helper method to identify if cert request needs to be resubmitted
+ :param host: the host
+ :param req_id: request id to perform operation for
+
+ Returns True if resubmit needed else False
+ """
+ # check if cert is in monitoring state
+ tasks.wait_for_certmonger_status(
+ host, ('MONITORING'), req_id, timeout=600
+ )
+
+ # check if cert is valid and not expired
+ cmd = host.run_command(
+ 'getcert list -i {} | grep expires'.format(req_id)
+ )
+ cert_expiry = cmd.stdout_text.split(' ')
+ cert_expiry = datetime.strptime(cert_expiry[1], '%Y-%m-%d').date()
+ if cert_expiry > date.today():
+ return False
+ else:
+ return True
+
+
+def get_cert_expiry(host, nssdb_path, cert_nick):
+ """Method to get cert expiry date of given certificate
+
+ :param host: the host
+ :param nssdb_path: nssdb path of certificate
+ :param cert_nick: certificate nick name for extracting cert from nssdb
+ """
+ # get initial expiry date to compare later with renewed cert
+ host.run_command([
+ 'certutil', '-L', '-a',
+ '-d', nssdb_path,
+ '-n', cert_nick,
+ '-o', '/root/cert.pem'
+ ])
+ data = host.get_file_contents('/root/cert.pem')
+ cert = x509.load_pem_x509_certificate(data, backend=default_backend())
+ return cert.not_valid_after
+
+
@pytest.fixture
def expire_cert_critical():
"""
@@ -353,7 +399,19 @@ class TestCertFixReplica(IntegrationTest):
setup_dns=False, extra_args=['--no-ntp']
)
- def test_renew_expired_cert_replica(self):
+ @pytest.fixture
+ def expire_certs(self):
+ # move system date to expire certs
+ for host in self.master, self.replicas[0]:
+ tasks.move_date(host, 'stop', '+3years+1days')
+
+ yield
+
+ # move date back on replica and master
+ for host in self.master, self.replicas[0]:
+ tasks.move_date(host, 'start', '-3years-1days')
+
+ def test_renew_expired_cert_replica(self, expire_certs):
"""Test renewal of certificates on replica with ipa-cert-fix
This is to check that ipa-cert-fix renews the certificates
@@ -361,8 +419,6 @@ class TestCertFixReplica(IntegrationTest):
related: https://pagure.io/freeipa/issue/7885
"""
- move_date(self.master, 'stop', '+3years+1days')
-
# wait for cert expiry
check_status(self.master, 8, "CA_UNREACHABLE")
@@ -370,35 +426,95 @@ class TestCertFixReplica(IntegrationTest):
check_status(self.master, 9, "MONITORING")
- # move system date to expire cert on replica
- move_date(self.replicas[0], 'stop', '+3years+1days')
-
- # RA agent cert will be expired and in CA_UNREACHABLE state
- check_status(self.replicas[0], 1, "CA_UNREACHABLE")
-
- # renew RA agent cert
- self.replicas[0].run_command(
- ['ipa-cert-fix', '-v'], stdin_text='yes\n'
+ # replica operations
+ # 'Server-Cert cert-pki-ca' cert will be in CA_UNREACHABLE state
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list',
+ '-d', paths.PKI_TOMCAT_ALIAS_DIR,
+ '-n', 'Server-Cert cert-pki-ca']
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('CA_UNREACHABLE'), req_id, timeout=600
+ )
+ # get initial expiry date to compare later with renewed cert
+ initial_expiry = get_cert_expiry(
+ self.replicas[0],
+ paths.PKI_TOMCAT_ALIAS_DIR,
+ 'Server-Cert cert-pki-ca'
)
- # LDAP/HTTP/PKINIT certs will be renewed automaticaly
- # after moving date on replica. This 3, 1 CA cert,
- # 1 RA agent cert. Check for total 5 valid certs.
- check_status(self.replicas[0], 5, "MONITORING")
+ # check that HTTP,LDAP,PKINIT are renewed and in MONITORING state
+ instance = realm_to_serverid(self.master.domain.realm)
+ dirsrv_cert = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
+ for cert in (paths.KDC_CERT, paths.HTTPD_CERT_FILE):
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list', '-f', cert]
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
- # get the req ids of all certs to renew remaining
- # certs by re-submitting it
- result = self.replicas[0].run_command(['getcert', 'list'])
- req_ids = re.findall(r'\d{14}', result.stdout_text)
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list', '-d', dirsrv_cert]
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
- # resubmit the certs to renew them
- for req_id in req_ids:
+ # check if replication working fine
+ testuser = 'testuser1'
+ password = 'Secret@123'
+ stdin = (f"{self.master.config.admin_password}\n"
+ f"{self.master.config.admin_password}\n"
+ f"{self.master.config.admin_password}\n")
+ self.master.run_command(['kinit', 'admin'], stdin_text=stdin)
+ tasks.user_add(self.master, testuser, password=password)
+ self.replicas[0].run_command(['kinit', 'admin'], stdin_text=stdin)
+ self.replicas[0].run_command(['ipa', 'user-show', testuser])
+
+ # renew shared certificates by resubmitting to certmonger
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ if needs_resubmit(self.replicas[0], req_id):
self.replicas[0].run_command(
['getcert', 'resubmit', '-i', req_id]
)
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
+ for cert_nick in ('auditSigningCert cert-pki-ca',
+ 'ocspSigningCert cert-pki-ca',
+ 'subsystemCert cert-pki-ca'):
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list',
+ '-d', paths.PKI_TOMCAT_ALIAS_DIR,
+ '-n', cert_nick]
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ if needs_resubmit(self.replicas[0], req_id):
+ self.replicas[0].run_command(
+ ['getcert', 'resubmit', '-i', req_id]
+ )
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
- check_status(self.master, 9, "MONITORING")
+ self.replicas[0].run_command(
+ ['ipa-cert-fix', '-v'], stdin_text='yes\n'
+ )
- # move date back on replica and master
- move_date(self.replicas[0], 'start', '-3years-1days')
- move_date(self.master, 'start', '-3years-1days')
+ check_status(self.replicas[0], 9, "MONITORING")
+
+ # Sometimes certmonger takes time to update the cert status
+ # So check in nssdb instead of relying on getcert command
+ renewed_expiry = get_cert_expiry(
+ self.replicas[0],
+ paths.PKI_TOMCAT_ALIAS_DIR,
+ 'Server-Cert cert-pki-ca'
+ )
+ assert renewed_expiry > initial_expiry
--
2.31.1

73
0049-ipatests-refactor-test_ipa_cert_fix-with-tasks.patch Normal file
View File

@ -0,0 +1,73 @@
From 4a3a15f45aad016730252c09e3e173a18184603e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 21 Jul 2021 14:29:31 +0200
Subject: [PATCH] ipatests: refactor test_ipa_cert_fix with tasks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8932
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipa_cert_fix.py | 18 ++++--------------
1 file changed, 4 insertions(+), 14 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index fa69743e2..39904d5de 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -52,16 +52,6 @@ def check_status(host, cert_count, state, timeout=600):
return count
-def move_date(host, chrony_state, date_str):
- """Helper method to move the date on given host
- :param host: The host on which date is to be moved
- :param chrony_state: State to which chrony service to be moved
- :param date_str: date string to move the date i.e 2years1month1days
- """
- host.run_command(['systemctl', chrony_state, 'chronyd'])
- host.run_command(['date', '-s', date_str])
-
-
def needs_resubmit(host, req_id):
"""Helper method to identify if cert request needs to be resubmitted
:param host: the host
@@ -123,13 +113,13 @@ def expire_cert_critical():
tasks.install_kra(host)
# move date to expire certs
- move_date(host, 'stop', '+3Years+1day')
+ tasks.move_date(host, 'stop', '+3Years+1day')
yield _expire_cert_critical
host = hosts.pop('host')
tasks.uninstall_master(host)
- move_date(host, 'start', '-3Years-1day')
+ tasks.move_date(host, 'start', '-3Years-1day')
class TestIpaCertFix(IntegrationTest):
@@ -143,12 +133,12 @@ class TestIpaCertFix(IntegrationTest):
def expire_ca_cert(self):
tasks.install_master(self.master, setup_dns=False,
extra_args=['--no-ntp'])
- move_date(self.master, 'stop', '+20Years+1day')
+ tasks.move_date(self.master, 'stop', '+20Years+1day')
yield
tasks.uninstall_master(self.master)
- move_date(self.master, 'start', '-20Years-1day')
+ tasks.move_date(self.master, 'start', '-20Years-1day')
def test_missing_csr(self, expire_cert_critical):
"""
--
2.31.1

65
0050-ipatests-use-whole-date-for-journalctl-since.patch Normal file
View File

@ -0,0 +1,65 @@
From b5036b5ce9ae4fab011e57fe2b37a35fdd098a70 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 19 Aug 2021 10:51:01 +0200
Subject: [PATCH] ipatests: use whole date for journalctl --since
When a test is executed around midnight and is checking the
journal content with --since=date, it needs to specify the
whole date (with day and time) to avoid missing entries.
If for instance --since=23:59:00 is used and the current time is
now 00:01:00, --since=23:59:00 would refer to a date in the
future and no journal entry will be found.
Fixes: https://pagure.io/freeipa/issue/8953
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
ipatests/test_integration/test_cert.py | 2 +-
ipatests/test_integration/test_commands.py | 3 ++-
ipatests/test_integration/test_nfs.py | 2 +-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 9a90db5e2..7d51b76ee 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -69,7 +69,7 @@ class TestInstallMasterClient(IntegrationTest):
# time to look into journal logs in
# test_certmonger_ipa_responder_jsonrpc
- cls.since = time.strftime('%H:%M:%S')
+ cls.since = time.strftime('%Y-%m-%d %H:%M:%S')
def test_cacert_file_appear_with_option_F(self):
"""Test if getcert creates cacert file with -F option
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 4d9a81652..fd5d1b472 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1208,7 +1208,8 @@ class TestIPACommand(IntegrationTest):
# start to look at logs a bit before "now"
# https://pagure.io/freeipa/issue/8432
since = time.strftime(
- '%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple()
+ '%Y-%m-%d %H:%M:%S',
+ (datetime.now() - timedelta(seconds=10)).timetuple()
)
password = 'WrongPassword'
diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
index 9a6153409..dc53a6da9 100644
--- a/ipatests/test_integration/test_nfs.py
+++ b/ipatests/test_integration/test_nfs.py
@@ -130,7 +130,7 @@ class TestNFS(IntegrationTest):
nfsclt = self.clients[1]
# for journalctl --since
- since = time.strftime('%H:%M:%S')
+ since = time.strftime('%Y-%m-%d %H:%M:%S')
nfsclt.run_command(["systemctl", "restart", "rpc-gssd"])
time.sleep(WAIT_AFTER_INSTALL)
mountpoints = ("/mnt/krb", "/mnt/std", "/home")
--
2.31.1

19
freeipa.spec
View File

@ -196,7 +196,7 @@
Name: %{package_name} Name: %{package_name}
Version: %{IPA_VERSION} Version: %{IPA_VERSION}
Release: 5%{?rc_version:.%rc_version}%{?dist} Release: 6%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
License: GPLv3+ License: GPLv3+
@ -259,7 +259,13 @@ Patch0040: 0040-ipatests-use-krb5_trace-in-TestIpaAdTrustInstall.patch
Patch0041: 0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch Patch0041: 0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch
Patch0042: 0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch Patch0042: 0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch
Patch0043: 0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch Patch0043: 0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch
Patch0044: 0044-ipatests-Test-unsecure-nsupdate.patch
Patch0045: 0045-ipatests-Fix-TestAJPSecretUpgrade-tests-on-systems-w.patch
Patch0046: 0046-ipatests-test_ipahealthcheck-Verify-permissions-for-.patch
Patch0047: 0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch
Patch0048: 0048-ipatests-wait-while-http-ldap-pkinit-cert-get-renew-.patch
Patch0049: 0049-ipatests-refactor-test_ipa_cert_fix-with-tasks.patch
Patch0050: 0050-ipatests-use-whole-date-for-journalctl-since.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif %endif
%endif %endif
@ -1746,6 +1752,15 @@ fi
%endif %endif
%changelog %changelog
* Thu Aug 26 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-6
- Resolves: rhbz#1998098 - Backport latest test fixes in python3-ipatests
- ipatests: Test unsecure nsupdate.
- ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser
- ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files
- ipatests: test to renew certs on replica using ipa-cert-fix
- ipatests: wait while http/ldap/pkinit cert get renew on replica
- ipatests: refactor test_ipa_cert_fix with tasks
- ipatests: use whole date for journalctl --since
* Tue Aug 17 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-5 * Tue Aug 17 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-5
- Resolves: rhbz#1988383 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided - Resolves: rhbz#1988383 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided
- ipa-getkeytab: add option to discover servers using DNS SRV - ipa-getkeytab: add option to discover servers using DNS SRV