def test_missing_csr(self, expire_cert_critical):
"""
Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
Test case for https://pagure.io/freeipa/issue/8618
Scenario:
- move the date so that ServerCert cert-pki-ca is expired
- remove the ca.sslserver.certreq directive from CS.cfg
- call getcert resubmit in order to create the CSR in certmonger file
- use ipa-cert-fix, no issue should be seen
"""
expire_cert_critical(self.master)
# pki must be stopped in order to edit CS.cfg
self.master.run_command(['ipactl', 'stop'])
self.master.run_command(['sed', '-i', r'/ca\.sslserver\.certreq=/d',
paths.CA_CS_CFG_PATH])
# dirsrv needs to be up in order to run ipa-cert-fix
self.master.run_command(['ipactl', 'start',
'--ignore-service-failures'])
# It's the call to getcert resubmit that creates the CSR in certmonger.
# In normal operations it would be launched automatically when the
# expiration date is near but in the test we force the CSR creation.
self.master.run_command(['getcert', 'resubmit',
'-n', 'Server-Cert cert-pki-ca',
'-d', paths.PKI_TOMCAT_ALIAS_DIR])
# Wait a few secs
time.sleep(3)
# Now the real test, call ipa-cert-fix and ensure it doesn't
# complain about missing sslserver.crt
result = self.master.run_command(['ipa-cert-fix', '-v'],
stdin_text='yes\n',
raiseonerr=False)
msg = ("No such file or directory: "
"'/etc/pki/pki-tomcat/certs/sslserver.crt'")
assert msg not in result.stderr_text
# Because of BZ 1897120, pki-cert-fix fails on pki-core 10.10.0
# https://bugzilla.redhat.com/show_bug.cgi?id=1897120
if (tasks.get_pki_version(self.master)
!= tasks.parse_version('10.10.0')):
assert result.returncode == 0
# get the number of certs track by certmonger
cmd = self.master.run_command(['getcert', 'list'])
certs = cmd.stdout_text.count('Request ID')
timeout = 600
renewed = 0
start = time.time()
# wait up to 10 min for all certs to renew
while time.time() - start < timeout:
cmd = self.master.run_command(['getcert', 'list'])
renewed = cmd.stdout_text.count('status: MONITORING')
if renewed == certs:
break
time.sleep(100)
else:
# timeout
raise AssertionError('Timeout: Failed to renew all the certs')
def test_kra_detection(self):
"""Test that ipa-server-upgrade correctly detects KRA presence
Test for https://pagure.io/freeipa/issue/8596
When the directory /var/lib/pki/pki-tomcat/kra/ exists, the upgrade
wrongly assumes that KRA component is installed and crashes.
The test creates an empty dir and calls ipa-server-upgrade
to make sure that KRA detection is not based on the directory
presence.
"""
# Skip test if pki 10.10.0 is installed
# because of https://github.com/dogtagpki/pki/issues/3397
# pki fails to start if empty dir /var/lib/pki/pki-tomcat/kra exists
if tasks.get_pki_version(
self.master) == tasks.parse_version('10.10.0'):
pytest.skip("Skip test with pki 10.10.0")
kra_path = os.path.join(paths.VAR_LIB_PKI_TOMCAT_DIR, "kra")
try:
self.master.run_command(["mkdir", "-p", kra_path])
result = self.master.run_command(['ipa-server-upgrade'])
err_msg = 'Upgrade failed with no such entry'
assert err_msg not in result.stderr_text
finally:
self.master.run_command(["rmdir", kra_path])
def test_ipahealthcheck_hidden_replica(self):
"""Ensure that ipa-healthcheck runs successfully on all members
of an IPA cluster that includes a hidden replica.
"""
os_version = (tasks.get_platform(self.master),
tasks.get_platform_version(self.master))
pki_version = tasks.get_pki_version(self.master)
# verify state
self._check_config([self.master], [self.replicas[0]])
# A DNA range is needed on the replica for ipa-healthcheck to work.
# Create a user so that the replica gets a range.
tasks.user_add(self.replicas[0], 'testuser')
tasks.user_del(self.replicas[0], 'testuser')
for srv in (self.master, self.replicas[0]):
returncode, _unused = run_healthcheck(srv, failures_only=True)
pki_too_old = \
(os_version[0] == 'fedora'
and pki_version < tasks.parse_version('11.1.0'))\
or (os_version[0] == 'rhel'
and os_version[1][0] == 8
and pki_version < tasks.parse_version('10.12.0'))\
or (os_version[0] == 'rhel'
and os_version[1][0] == 9
and pki_version < tasks.parse_version('11.0.4'))
with xfail_context(pki_too_old,
'https://pagure.io/freeipa/issue/8582'):
assert returncode == 0
def test_missing_startup(self, expire_cert_critical):
"""
Test ipa-cert-fix fails/warns when startup directive is missing
This test checks that if 'selftests.container.order.startup' directive
is missing from CS.cfg, ipa-cert-fix fails and throw proper error
message. It also checks that underlying command 'pki-server cert-fix'
should fail to renew the cert.
related: https://pagure.io/freeipa/issue/8721
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
a warning than failing.
This test also checks that if 'selftests.container.order.startup'
directive is missing from CS.cfg, ipa-cert-fix dsplay proper warning
(depending on pki version)
related: https://pagure.io/freeipa/issue/8890
"""
expire_cert_critical(self.master)
# pki must be stopped in order to edit CS.cfg
self.master.run_command(['ipactl', 'stop'])
self.master.run_command([
'sed', '-i', r'/selftests\.container\.order\.startup/d',
paths.CA_CS_CFG_PATH
])
# dirsrv needs to be up in order to run ipa-cert-fix
self.master.run_command(
['ipactl', 'start', '--ignore-service-failures'])
result = self.master.run_command(['ipa-cert-fix', '-v'],
stdin_text='yes\n',
raiseonerr=False)
err_msg1 = "ERROR: 'selftests.container.order.startup'"
# check that pki-server cert-fix command fails
err_msg2 = ("ERROR: CalledProcessError(Command "
"['pki-server', 'cert-fix'")
warn_msg = ("WARNING: No selftests configured in "
f"{paths.CA_CS_CFG_PATH} "
"(selftests.container.order.startup)")
if (tasks.get_pki_version(self.master) <
tasks.parse_version('10.11.0')):
assert (err_msg1 in result.stderr_text
and err_msg2 in result.stderr_text)
else:
assert warn_msg in result.stdout_text