From 7f30ddb1b7e30c22f9b7d14d2658b58a0ea6b459 Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan Date: Tue, 2 Feb 2021 17:33:57 +0530 Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs Test moves system date to expire certs. Then calls ipa-cert-fix to renew them. This certs include subsystem, audit-signing, OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs. related: https://pagure.io/freeipa/issue/7885 Signed-off-by: Mohammad Rizwan Reviewed-By: Florence Blanc-Renaud Reviewed-By: Anuja More Reviewed-By: Florence Blanc-Renaud Reviewed-By: Anuja More --- .../test_integration/test_ipa_cert_fix.py | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py index f9e5fe6e2..da68af573 100644 --- a/ipatests/test_integration/test_ipa_cert_fix.py +++ b/ipatests/test_integration/test_ipa_cert_fix.py @@ -8,12 +8,16 @@ Module provides tests for ipa-cert-fix CLI. import pytest import time +import logging from ipaplatform.paths import paths from ipatests.pytest_ipa.integration import tasks from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup +logger = logging.getLogger(__name__) + + def server_install_teardown(func): def wrapped(*args): master = args[0].master @@ -24,6 +28,26 @@ def server_install_teardown(func): return wrapped +def check_status(host, cert_count, state, timeout=600): + """Helper method to check that if all the certs are in given state + :param host: the host + :param cert_count: no of cert to look for + :param state: state to check for + :param timeout: max time in seconds to wait for the state + """ + for _i in range(0, timeout, 10): + result = host.run_command(['getcert', 'list']) + count = result.stdout_text.count(f"status: {state}") + logger.info("cert count in %s state : %s", state, count) + if int(count) == cert_count: + break + time.sleep(10) + else: + raise RuntimeError("request timed out") + + return count + + class TestIpaCertFix(IntegrationTest): @classmethod def uninstall(cls, mh): @@ -106,6 +130,42 @@ class TestIpaCertFix(IntegrationTest): # timeout raise AssertionError('Timeout: Failed to renew all the certs') + def test_renew_expired_cert_on_master(self, expire_cert_critical): + """Test if ipa-cert-fix renews expired certs + + Test moves system date to expire certs. Then calls ipa-cert-fix + to renew them. This certs include subsystem, audit-signing, + OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs. + + related: https://pagure.io/freeipa/issue/7885 + """ + # wait for cert expiry + check_status(self.master, 8, "CA_UNREACHABLE") + + self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n') + + check_status(self.master, 9, "MONITORING") + + # second iteration of ipa-cert-fix + result = self.master.run_command( + ['ipa-cert-fix', '-v'], + stdin_text='yes\n' + ) + assert "Nothing to do" in result.stdout_text + check_status(self.master, 9, "MONITORING") + + def test_ipa_cert_fix_non_ipa(self): + """Test ipa-cert-fix doesn't work on non ipa system + + ipa-cert-fix tool should not work on non ipa system. + + related: https://pagure.io/freeipa/issue/7885 + """ + result = self.master.run_command(['ipa-cert-fix', '-v'], + stdin_text='yes\n', + raiseonerr=False) + assert result.returncode == 2 + class TestIpaCertFixThirdParty(CALessBase): """ -- 2.29.2 From 36a60dbb35cb4429f00528f79bec8b7982a30c74 Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan Date: Thu, 11 Feb 2021 16:54:22 +0530 Subject: [PATCH] Move fixture outside the class and add setup_kra capability Moved fixture to use across multiple classes. Added capability to install the KRA to the fixture Signed-off-by: Mohammad Rizwan Reviewed-By: Florence Blanc-Renaud Reviewed-By: Anuja More Reviewed-By: Florence Blanc-Renaud Reviewed-By: Anuja More --- .../test_integration/test_ipa_cert_fix.py | 46 ++++++++++++------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py index da68af573..591dc5031 100644 --- a/ipatests/test_integration/test_ipa_cert_fix.py +++ b/ipatests/test_integration/test_ipa_cert_fix.py @@ -48,6 +48,33 @@ def check_status(host, cert_count, state, timeout=600): return count +@pytest.fixture +def expire_cert_critical(): + """ + Fixture to expire the certs by moving the system date using + date -s command and revert it back + """ + + hosts = dict() + + def _expire_cert_critical(host, setup_kra=False): + hosts['host'] = host + # Do not install NTP as the test plays with the date + tasks.install_master(host, setup_dns=False, + extra_args=['--no-ntp']) + if setup_kra: + tasks.install_kra(host) + host.run_command(['systemctl', 'stop', 'chronyd']) + host.run_command(['date', '-s', '+3Years+1day']) + + yield _expire_cert_critical + + host = hosts.pop('host') + tasks.uninstall_master(host) + host.run_command(['date', '-s', '-3Years-1day']) + host.run_command(['systemctl', 'start', 'chronyd']) + + class TestIpaCertFix(IntegrationTest): @classmethod def uninstall(cls, mh): @@ -55,22 +82,6 @@ class TestIpaCertFix(IntegrationTest): # the fixture pass - @pytest.fixture - def expire_cert_critical(self): - """ - Fixture to expire the certs by moving the system date using - date -s command and revert it back - """ - # Do not install NTP as the test plays with the date - tasks.install_master(self.master, setup_dns=False, - extra_args=['--no-ntp']) - self.master.run_command(['systemctl', 'stop', 'chronyd']) - self.master.run_command(['date','-s', '+3Years+1day']) - yield - tasks.uninstall_master(self.master) - self.master.run_command(['date','-s', '-3Years-1day']) - self.master.run_command(['systemctl', 'start', 'chronyd']) - def test_missing_csr(self, expire_cert_critical): """ Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg @@ -82,6 +93,7 @@ class TestIpaCertFix(IntegrationTest): - call getcert resubmit in order to create the CSR in certmonger file - use ipa-cert-fix, no issue should be seen """ + expire_cert_critical(self.master) # pki must be stopped in order to edit CS.cfg self.master.run_command(['ipactl', 'stop']) self.master.run_command(['sed', '-i', r'/ca\.sslserver\.certreq=/d', @@ -139,6 +151,8 @@ class TestIpaCertFix(IntegrationTest): related: https://pagure.io/freeipa/issue/7885 """ + expire_cert_critical(self.master) + # wait for cert expiry check_status(self.master, 8, "CA_UNREACHABLE") -- 2.29.2 From c84e0547e1a693ba0e9edbfeea7bafdb2fb2b4a2 Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan Date: Thu, 11 Feb 2021 16:59:53 +0530 Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs with kra installed This test check if ipa-cert-fix renews certs with kra certificate installed. related: https://pagure.io/freeipa/issue/7885 Signed-off-by: Mohammad Rizwan Reviewed-By: Florence Blanc-Renaud Reviewed-By: Anuja More Reviewed-By: Florence Blanc-Renaud Reviewed-By: Anuja More --- .../test_integration/test_ipa_cert_fix.py | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py index 591dc5031..b2e92d4dc 100644 --- a/ipatests/test_integration/test_ipa_cert_fix.py +++ b/ipatests/test_integration/test_ipa_cert_fix.py @@ -225,3 +225,28 @@ class TestIpaCertFixThirdParty(CALessBase): # the DS nickname is used and not a hardcoded value. result = self.master.run_command(['ipa-cert-fix', '-v'],) assert self.nickname in result.stderr_text + + +class TestCertFixKRA(IntegrationTest): + @classmethod + def uninstall(cls, mh): + # Uninstall method is empty as the uninstallation is done in + # the fixture + pass + + def test_renew_expired_cert_with_kra(self, expire_cert_critical): + """Test if ipa-cert-fix renews expired certs with kra installed + + This test check if ipa-cert-fix renews certs with kra + certificate installed. + + related: https://pagure.io/freeipa/issue/7885 + """ + expire_cert_critical(self.master, setup_kra=True) + + # check if all subsystem cert expired + check_status(self.master, 11, "CA_UNREACHABLE") + + self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n') + + check_status(self.master, 12, "MONITORING") -- 2.29.2 From 260fbcb03297ef1ed5418b16c0df0587d2989b22 Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan Date: Tue, 2 Mar 2021 11:42:36 +0530 Subject: [PATCH] ipatests: update nightly definition for ipa_cert_fix suite Signed-off-by: Mohammad Rizwan Reviewed-By: Florence Blanc-Renaud Reviewed-By: Anuja More --- ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml | 2 +- ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml | 2 +- ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml index ebd539246..8a88698eb 100644 --- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml +++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml @@ -1687,5 +1687,5 @@ jobs: build_url: '{fedora-latest-ipa-4-9/build_url}' test_suite: test_integration/test_ipa_cert_fix.py template: *ci-ipa-4-9-latest - timeout: 3600 + timeout: 7200 topology: *master_1repl diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml index d4b597d6e..14f0c4292 100644 --- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml +++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml @@ -1821,5 +1821,5 @@ jobs: selinux_enforcing: True test_suite: test_integration/test_ipa_cert_fix.py template: *ci-ipa-4-9-latest - timeout: 3600 + timeout: 7200 topology: *master_1repl diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml index 1fd589e6a..b7f8d2b3e 100644 --- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml +++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml @@ -1687,5 +1687,5 @@ jobs: build_url: '{fedora-previous-ipa-4-9/build_url}' test_suite: test_integration/test_ipa_cert_fix.py template: *ci-ipa-4-9-previous - timeout: 3600 + timeout: 7200 topology: *master_1repl -- 2.29.2