class TestTracking(BaseTest):
patches = {
'ipahealthcheck.ipa.certs.get_expected_requests':
Mock(return_value=get_expected_requests()),
'ipalib.install.certmonger._cm_dbus_object':
Mock(side_effect=create_mock_dbus),
'ipalib.install.certmonger._certmonger':
Mock(return_value=_certmonger())
}
def test_known_cert_tracking(self):
set_requests()
framework = object()
registry.initialize(framework, config.Config)
f = IPACertTracking(registry)
self.results = capture_results(f)
assert len(self.results) == 2
def test_missing_cert_tracking(self):
# remove one of the requests to force it to be missing
set_requests(remove=0)
framework = object()
registry.initialize(framework, config.Config)
f = IPACertTracking(registry)
self.results = capture_results(f)
assert len(self.results) == 2
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertTracking'
assert result.kw.get('msg') == "Missing tracking for " \
"cert-file=/var/lib/ipa/ra-agent.pem, " \
"key-file=/var/lib/ipa/ra-agent.key, " \
"ca-name=dogtag-ipa-ca-renew-agent, " \
"cert-storage=FILE, "\
"cert-presave-command=" \
"/usr/libexec/ipa/certmonger/renew_ra_cert_pre, " \
"cert-postsave-command=" \
"/usr/libexec/ipa/certmonger/renew_ra_cert"
def test_unknown_cert_tracking(self):
# Add a custom, unknown request
unknown = {
'nickname': '7777',
'cert-file': '/tmp/test.crt',
'key-file': '/tmp/test.key',
'ca-name': 'IPA',
}
set_requests(add=unknown)
framework = object()
registry.initialize(framework, config.Config)
f = IPACertTracking(registry)
self.results = capture_results(f)
assert len(self.results) == 3
result = self.results.results[2]
assert result.result == constants.WARNING
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertTracking'
assert result.kw.get('msg') == 'Unknown certmonger id 7777'
class TestRevocation(BaseTest):
patches = {
'ipaserver.install.certs.is_ipa_issued_cert':
Mock(return_value=True),
'ipalib.x509.load_certificate_from_file':
Mock(return_value=IPACertificate()),
'ipahealthcheck.ipa.certs.get_expected_requests':
Mock(return_value=get_expected_requests()),
'ipalib.install.certmonger._cm_dbus_object':
Mock(side_effect=create_mock_dbus),
'ipalib.install.certmonger._certmonger':
Mock(return_value=_certmonger()),
'ipaserver.install.cainstance.CAInstance':
Mock(return_value=CAInstance()),
}
def test_revocation_ok(self):
m_api.Command.cert_show.side_effect = [
{
u'result': {
u"revoked": False,
}
},
{
u'result': {
u"revoked": False,
}
},
]
set_requests()
framework = object()
registry.initialize(framework)
f = IPACertRevocation(registry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 2
for result in self.results.results:
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertRevocation'
def test_revocation_one_bad(self):
m_api.Command.cert_show.side_effect = [
{
u'result': {
u"revoked": False,
}
},
{
u'result': {
u"revoked": True,
u"revocation_reason": 4,
}
},
]
set_requests()
framework = object()
registry.initialize(framework)
f = IPACertRevocation(registry)
f.config = config.Config()
self.results = capture_results(f)
assert len(self.results) == 2
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertRevocation'
result = self.results.results[1]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertRevocation'
assert result.kw.get('revocation_reason') == 'superseded'
class TestExpiration(BaseTest):
patches = {
'ipahealthcheck.ipa.certs.get_expected_requests':
Mock(return_value=get_expected_requests()),
'ipalib.install.certmonger._cm_dbus_object':
Mock(side_effect=create_mock_dbus),
'ipalib.install.certmonger._certmonger':
Mock(return_value=_certmonger())
}
def test_expiration(self):
set_requests()
framework = object()
registry.initialize(framework, config.Config)
f = IPACertmongerExpirationCheck(registry)
f.config.cert_expiration_days = '7'
self.results = capture_results(f)
assert len(self.results) == 2
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertmongerExpirationCheck'
assert result.kw.get('key') == '1234'
assert result.kw.get('expiration_date') == '19700101001704Z'
result = self.results.results[1]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertmongerExpirationCheck'
assert result.kw.get('key') == '5678'
def test_expiration_warning(self):
warning = datetime.now(timezone.utc) + timedelta(days=20)
replaceme = {
'nickname': '7777',
'cert-file': paths.RA_AGENT_PEM,
'key-file': paths.RA_AGENT_KEY,
'ca-name': 'dogtag-ipa-ca-renew-agent',
'not-valid-after': int(warning.timestamp()),
}
set_requests(remove=0, add=replaceme)
framework = object()
registry.initialize(framework, config.Config)
f = IPACertmongerExpirationCheck(registry)
f.config.cert_expiration_days = str(CERT_EXPIRATION_DAYS)
self.results = capture_results(f)
assert len(self.results) == 2
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertmongerExpirationCheck'
assert result.kw.get('key') == '5678'
result = self.results.results[1]
assert result.result == constants.WARNING
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertmongerExpirationCheck'
assert result.kw.get('key') == '7777'
assert result.kw.get('days') == 19
class TestIPACertificateFile(BaseTest):
patches = {
'ipahealthcheck.ipa.certs.get_expected_requests':
Mock(return_value=get_expected_requests()),
'ipalib.install.certmonger._cm_dbus_object':
Mock(side_effect=create_mock_dbus),
'ipalib.install.certmonger._certmonger':
Mock(return_value=_certmonger()),
}
@patch('ipalib.x509.load_certificate_from_file')
def test_certfile_expiration(self, mock_load_cert):
set_requests(remove=1)
cert = IPACertificate(not_valid_after=datetime.utcnow() +
timedelta(days=30))
mock_load_cert.return_value = cert
framework = object()
registry.initialize(framework)
f = IPACertfileExpirationCheck(registry)
f.config = config.Config()
f.config.cert_expiration_days = 28
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.SUCCESS
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertfileExpirationCheck'
assert result.kw.get('key') == '1234'
@patch('ipalib.x509.load_certificate_from_file')
def test_certfile_expiration_warning(self, mock_load_cert):
set_requests(remove=1)
cert = IPACertificate(not_valid_after=datetime.utcnow() +
timedelta(days=7))
mock_load_cert.return_value = cert
framework = object()
registry.initialize(framework)
f = IPACertfileExpirationCheck(registry)
f.config = config.Config()
f.config.cert_expiration_days = 30
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.WARNING
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertfileExpirationCheck'
assert result.kw.get('key') == '1234'
assert 'expires in 6 days' in result.kw.get('msg')
@patch('ipalib.x509.load_certificate_from_file')
def test_certfile_expiration_expired(self, mock_load_cert):
set_requests(remove=1)
cert = IPACertificate(not_valid_after=datetime.utcnow() +
timedelta(days=-100))
mock_load_cert.return_value = cert
framework = object()
registry.initialize(framework)
f = IPACertfileExpirationCheck(registry)
f.config = config.Config()
f.config.cert_expiration_days = 30
self.results = capture_results(f)
assert len(self.results) == 1
result = self.results.results[0]
assert result.result == constants.ERROR
assert result.source == 'ipahealthcheck.ipa.certs'
assert result.check == 'IPACertfileExpirationCheck'
assert result.kw.get('key') == '1234'
assert 'Request id 1234 expired on' in result.kw.get('msg')