def test_missing_csr(self, expire_cert_critical): """ Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg Test case for https://pagure.io/freeipa/issue/8618 Scenario: - move the date so that ServerCert cert-pki-ca is expired - remove the ca.sslserver.certreq directive from CS.cfg - call getcert resubmit in order to create the CSR in certmonger file - use ipa-cert-fix, no issue should be seen """ expire_cert_critical(self.master) # pki must be stopped in order to edit CS.cfg self.master.run_command(['ipactl', 'stop']) self.master.run_command(['sed', '-i', r'/ca\.sslserver\.certreq=/d', paths.CA_CS_CFG_PATH]) # dirsrv needs to be up in order to run ipa-cert-fix self.master.run_command(['ipactl', 'start', '--ignore-service-failures']) # It's the call to getcert resubmit that creates the CSR in certmonger. # In normal operations it would be launched automatically when the # expiration date is near but in the test we force the CSR creation. self.master.run_command(['getcert', 'resubmit', '-n', 'Server-Cert cert-pki-ca', '-d', paths.PKI_TOMCAT_ALIAS_DIR]) # Wait a few secs time.sleep(3) # Now the real test, call ipa-cert-fix and ensure it doesn't # complain about missing sslserver.crt result = self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n', raiseonerr=False) msg = ("No such file or directory: " "'/etc/pki/pki-tomcat/certs/sslserver.crt'") assert msg not in result.stderr_text # Because of BZ 1897120, pki-cert-fix fails on pki-core 10.10.0 # https://bugzilla.redhat.com/show_bug.cgi?id=1897120 if (tasks.get_pki_version(self.master) != tasks.parse_version('10.10.0')): assert result.returncode == 0 # get the number of certs track by certmonger cmd = self.master.run_command(['getcert', 'list']) certs = cmd.stdout_text.count('Request ID') timeout = 600 renewed = 0 start = time.time() # wait up to 10 min for all certs to renew while time.time() - start < timeout: cmd = self.master.run_command(['getcert', 'list']) renewed = cmd.stdout_text.count('status: MONITORING') if renewed == certs: break time.sleep(100) else: # timeout raise AssertionError('Timeout: Failed to renew all the certs')
def test_kra_detection(self): """Test that ipa-server-upgrade correctly detects KRA presence Test for https://pagure.io/freeipa/issue/8596 When the directory /var/lib/pki/pki-tomcat/kra/ exists, the upgrade wrongly assumes that KRA component is installed and crashes. The test creates an empty dir and calls ipa-server-upgrade to make sure that KRA detection is not based on the directory presence. """ # Skip test if pki 10.10.0 is installed # because of https://github.com/dogtagpki/pki/issues/3397 # pki fails to start if empty dir /var/lib/pki/pki-tomcat/kra exists if tasks.get_pki_version( self.master) == tasks.parse_version('10.10.0'): pytest.skip("Skip test with pki 10.10.0") kra_path = os.path.join(paths.VAR_LIB_PKI_TOMCAT_DIR, "kra") try: self.master.run_command(["mkdir", "-p", kra_path]) result = self.master.run_command(['ipa-server-upgrade']) err_msg = 'Upgrade failed with no such entry' assert err_msg not in result.stderr_text finally: self.master.run_command(["rmdir", kra_path])
def test_ipahealthcheck_hidden_replica(self): """Ensure that ipa-healthcheck runs successfully on all members of an IPA cluster that includes a hidden replica. """ os_version = (tasks.get_platform(self.master), tasks.get_platform_version(self.master)) pki_version = tasks.get_pki_version(self.master) # verify state self._check_config([self.master], [self.replicas[0]]) # A DNA range is needed on the replica for ipa-healthcheck to work. # Create a user so that the replica gets a range. tasks.user_add(self.replicas[0], 'testuser') tasks.user_del(self.replicas[0], 'testuser') for srv in (self.master, self.replicas[0]): returncode, _unused = run_healthcheck(srv, failures_only=True) pki_too_old = \ (os_version[0] == 'fedora' and pki_version < tasks.parse_version('11.1.0'))\ or (os_version[0] == 'rhel' and os_version[1][0] == 8 and pki_version < tasks.parse_version('10.12.0'))\ or (os_version[0] == 'rhel' and os_version[1][0] == 9 and pki_version < tasks.parse_version('11.0.4')) with xfail_context(pki_too_old, 'https://pagure.io/freeipa/issue/8582'): assert returncode == 0
def test_missing_startup(self, expire_cert_critical): """ Test ipa-cert-fix fails/warns when startup directive is missing This test checks that if 'selftests.container.order.startup' directive is missing from CS.cfg, ipa-cert-fix fails and throw proper error message. It also checks that underlying command 'pki-server cert-fix' should fail to renew the cert. related: https://pagure.io/freeipa/issue/8721 With https://github.com/dogtagpki/pki/pull/3466, it changed to display a warning than failing. This test also checks that if 'selftests.container.order.startup' directive is missing from CS.cfg, ipa-cert-fix dsplay proper warning (depending on pki version) related: https://pagure.io/freeipa/issue/8890 """ expire_cert_critical(self.master) # pki must be stopped in order to edit CS.cfg self.master.run_command(['ipactl', 'stop']) self.master.run_command([ 'sed', '-i', r'/selftests\.container\.order\.startup/d', paths.CA_CS_CFG_PATH ]) # dirsrv needs to be up in order to run ipa-cert-fix self.master.run_command( ['ipactl', 'start', '--ignore-service-failures']) result = self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n', raiseonerr=False) err_msg1 = "ERROR: 'selftests.container.order.startup'" # check that pki-server cert-fix command fails err_msg2 = ("ERROR: CalledProcessError(Command " "['pki-server', 'cert-fix'") warn_msg = ("WARNING: No selftests configured in " f"{paths.CA_CS_CFG_PATH} " "(selftests.container.order.startup)") if (tasks.get_pki_version(self.master) < tasks.parse_version('10.11.0')): assert (err_msg1 in result.stderr_text and err_msg2 in result.stderr_text) else: assert warn_msg in result.stdout_text