class TestTracking(BaseTest): patches = { 'ipahealthcheck.ipa.certs.get_expected_requests': Mock(return_value=get_expected_requests()), 'ipalib.install.certmonger._cm_dbus_object': Mock(side_effect=create_mock_dbus), 'ipalib.install.certmonger._certmonger': Mock(return_value=_certmonger()) } def test_known_cert_tracking(self): set_requests() framework = object() registry.initialize(framework, config.Config) f = IPACertTracking(registry) self.results = capture_results(f) assert len(self.results) == 2 def test_missing_cert_tracking(self): # remove one of the requests to force it to be missing set_requests(remove=0) framework = object() registry.initialize(framework, config.Config) f = IPACertTracking(registry) self.results = capture_results(f) assert len(self.results) == 2 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertTracking' assert result.kw.get('msg') == "Missing tracking for " \ "cert-file=/var/lib/ipa/ra-agent.pem, " \ "key-file=/var/lib/ipa/ra-agent.key, " \ "ca-name=dogtag-ipa-ca-renew-agent, " \ "cert-storage=FILE, "\ "cert-presave-command=" \ "/usr/libexec/ipa/certmonger/renew_ra_cert_pre, " \ "cert-postsave-command=" \ "/usr/libexec/ipa/certmonger/renew_ra_cert" def test_unknown_cert_tracking(self): # Add a custom, unknown request unknown = { 'nickname': '7777', 'cert-file': '/tmp/test.crt', 'key-file': '/tmp/test.key', 'ca-name': 'IPA', } set_requests(add=unknown) framework = object() registry.initialize(framework, config.Config) f = IPACertTracking(registry) self.results = capture_results(f) assert len(self.results) == 3 result = self.results.results[2] assert result.result == constants.WARNING assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertTracking' assert result.kw.get('msg') == 'Unknown certmonger id 7777'
class TestRevocation(BaseTest): patches = { 'ipaserver.install.certs.is_ipa_issued_cert': Mock(return_value=True), 'ipalib.x509.load_certificate_from_file': Mock(return_value=IPACertificate()), 'ipahealthcheck.ipa.certs.get_expected_requests': Mock(return_value=get_expected_requests()), 'ipalib.install.certmonger._cm_dbus_object': Mock(side_effect=create_mock_dbus), 'ipalib.install.certmonger._certmonger': Mock(return_value=_certmonger()), 'ipaserver.install.cainstance.CAInstance': Mock(return_value=CAInstance()), } def test_revocation_ok(self): m_api.Command.cert_show.side_effect = [ { u'result': { u"revoked": False, } }, { u'result': { u"revoked": False, } }, ] set_requests() framework = object() registry.initialize(framework) f = IPACertRevocation(registry) f.config = config.Config() self.results = capture_results(f) assert len(self.results) == 2 for result in self.results.results: assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertRevocation' def test_revocation_one_bad(self): m_api.Command.cert_show.side_effect = [ { u'result': { u"revoked": False, } }, { u'result': { u"revoked": True, u"revocation_reason": 4, } }, ] set_requests() framework = object() registry.initialize(framework) f = IPACertRevocation(registry) f.config = config.Config() self.results = capture_results(f) assert len(self.results) == 2 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertRevocation' result = self.results.results[1] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertRevocation' assert result.kw.get('revocation_reason') == 'superseded'
class TestExpiration(BaseTest): patches = { 'ipahealthcheck.ipa.certs.get_expected_requests': Mock(return_value=get_expected_requests()), 'ipalib.install.certmonger._cm_dbus_object': Mock(side_effect=create_mock_dbus), 'ipalib.install.certmonger._certmonger': Mock(return_value=_certmonger()) } def test_expiration(self): set_requests() framework = object() registry.initialize(framework, config.Config) f = IPACertmongerExpirationCheck(registry) f.config.cert_expiration_days = '7' self.results = capture_results(f) assert len(self.results) == 2 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertmongerExpirationCheck' assert result.kw.get('key') == '1234' assert result.kw.get('expiration_date') == '19700101001704Z' result = self.results.results[1] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertmongerExpirationCheck' assert result.kw.get('key') == '5678' def test_expiration_warning(self): warning = datetime.now(timezone.utc) + timedelta(days=20) replaceme = { 'nickname': '7777', 'cert-file': paths.RA_AGENT_PEM, 'key-file': paths.RA_AGENT_KEY, 'ca-name': 'dogtag-ipa-ca-renew-agent', 'not-valid-after': int(warning.timestamp()), } set_requests(remove=0, add=replaceme) framework = object() registry.initialize(framework, config.Config) f = IPACertmongerExpirationCheck(registry) f.config.cert_expiration_days = str(CERT_EXPIRATION_DAYS) self.results = capture_results(f) assert len(self.results) == 2 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertmongerExpirationCheck' assert result.kw.get('key') == '5678' result = self.results.results[1] assert result.result == constants.WARNING assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertmongerExpirationCheck' assert result.kw.get('key') == '7777' assert result.kw.get('days') == 19
class TestIPACertificateFile(BaseTest): patches = { 'ipahealthcheck.ipa.certs.get_expected_requests': Mock(return_value=get_expected_requests()), 'ipalib.install.certmonger._cm_dbus_object': Mock(side_effect=create_mock_dbus), 'ipalib.install.certmonger._certmonger': Mock(return_value=_certmonger()), } @patch('ipalib.x509.load_certificate_from_file') def test_certfile_expiration(self, mock_load_cert): set_requests(remove=1) cert = IPACertificate(not_valid_after=datetime.utcnow() + timedelta(days=30)) mock_load_cert.return_value = cert framework = object() registry.initialize(framework) f = IPACertfileExpirationCheck(registry) f.config = config.Config() f.config.cert_expiration_days = 28 self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertfileExpirationCheck' assert result.kw.get('key') == '1234' @patch('ipalib.x509.load_certificate_from_file') def test_certfile_expiration_warning(self, mock_load_cert): set_requests(remove=1) cert = IPACertificate(not_valid_after=datetime.utcnow() + timedelta(days=7)) mock_load_cert.return_value = cert framework = object() registry.initialize(framework) f = IPACertfileExpirationCheck(registry) f.config = config.Config() f.config.cert_expiration_days = 30 self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.WARNING assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertfileExpirationCheck' assert result.kw.get('key') == '1234' assert 'expires in 6 days' in result.kw.get('msg') @patch('ipalib.x509.load_certificate_from_file') def test_certfile_expiration_expired(self, mock_load_cert): set_requests(remove=1) cert = IPACertificate(not_valid_after=datetime.utcnow() + timedelta(days=-100)) mock_load_cert.return_value = cert framework = object() registry.initialize(framework) f = IPACertfileExpirationCheck(registry) f.config = config.Config() f.config.cert_expiration_days = 30 self.results = capture_results(f) assert len(self.results) == 1 result = self.results.results[0] assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.ipa.certs' assert result.check == 'IPACertfileExpirationCheck' assert result.kw.get('key') == '1234' assert 'Request id 1234 expired on' in result.kw.get('msg')