rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity
c10s
ipa/0042-ipatests-pruning-is-enabled-by-default-with-LMDB.patch
Florence Blanc-Renaud 1e38d43370 ipa-4.12.2-8 
- Resolves: RHEL-69300 Support GSSAPI in Cockpit on IPA servers
- Resolves: RHEL-68447 ipa trust-add fails in FIPS mode with an internal error has occurred
- Resolves: RHEL-57674 Use RSNv3 and enable cert pruning by default in RHEL 10.0

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2024-11-27 19:43:17 +01:00

100 lines
4.2 KiB
Diff
Raw Permalink Blame History

From fd222273a544f9e8c7a1749ff797880db7edbf25 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 25 Nov 2024 13:14:50 +0100
Subject: [PATCH] ipatests: pruning is enabled by default with LMDB
The test test_acme.py::TestACMEPrune::test_enable_pruning expects
certificate pruning to be disabled by default. That assumption
is valid only if the backend is BDB (if the backend is LMDB,
RSNv3 + cert pruning are enabled by default).
Update the test to be consistent with the new defaults.
Fixes: https://pagure.io/freeipa/issue/9706
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_acme.py | 37 +++++++++++++++++---------
1 file changed, 25 insertions(+), 12 deletions(-)
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index 4032d266a8dc72fae6ee11857c306aa3a21e51bc..709d90715823672a3d85a1ef7896fb10ee63fdc5 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -17,6 +17,7 @@ from ipatests.test_integration.test_random_serial_numbers import (
)
from ipaplatform.osinfo import osinfo
from ipaplatform.paths import paths
+from ipapython.dn import DN
from ipatests.test_integration.test_external_ca import (
install_server_external_ca_step1,
install_server_external_ca_step2,
@@ -144,6 +145,15 @@ def certbot_standalone_cert(host, acme_server, no_of_cert=1):
)
+def get_389ds_backend(host):
+ """ Return the backend type used by 389ds (either 'bdb' or 'lmdb')"""
+ conn = host.ldap_connect()
+ entry = conn.get_entry(
+ DN('cn=config,cn=ldbm database,cn=plugins,cn=config'))
+ backend = entry.single_value.get('nsslapd-backend-implement')
+ return backend
+
+
class TestACME(CALessBase):
"""
Test the FreeIPA ACME service by using ACME clients on a FreeIPA client.
@@ -397,21 +407,22 @@ class TestACME(CALessBase):
assert status == 'disabled'
def test_acme_pruning_no_random_serial(self):
- """This ACME install is configured without random serial
+ """BDB install is configured without random serial
numbers. Verify that we can't enable pruning on it.
-
- This test is located here because by default installs
- don't enable RSNv3.
"""
if (tasks.get_pki_version(self.master)
< tasks.parse_version('11.3.0')):
raise pytest.skip("Certificate pruning is not available")
self.master.run_command(['ipa-acme-manage', 'enable'])
- result = self.master.run_command(
- ['ipa-acme-manage', 'pruning', '--enable'],
- raiseonerr=False)
- assert result.returncode == 1
- assert "requires random serial numbers" in result.stderr_text
+
+ # This test is only relevant with BDB backend
+ # as with LMDB, the installer now enable RSNv3 and cert pruning
+ if get_389ds_backend(self.master) == 'bdb':
+ result = self.master.run_command(
+ ['ipa-acme-manage', 'pruning', '--enable'],
+ raiseonerr=False)
+ assert result.returncode == 1
+ assert "requires random serial numbers" in result.stderr_text
@server_install_teardown
def test_third_party_certs(self):
@@ -707,10 +718,12 @@ class TestACMEPrune(IntegrationTest):
if (tasks.get_pki_version(self.master)
< tasks.parse_version('11.3.0')):
raise pytest.skip("Certificate pruning is not available")
- cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
- assert "jobsScheduler.job.pruning.enabled=false".encode() in cs_cfg
- self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
+ # Pruning is enabled by default when the host supports lmdb
+ if get_389ds_backend(self.master) == 'bdb':
+ cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
+ assert "jobsScheduler.job.pruning.enabled=false".encode() in cs_cfg
+ self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
assert "jobsScheduler.enabled=true".encode() in cs_cfg
--
2.47.0
Reference in New Issue View Git Blame Copy Permalink