URL: https://github.com/freeipa/freeipa/pull/4949
Author: rcritten
Title: #4949: ipatests: Test that healthcheck detects and reports expiration
Action: opened
PR body:
"""
ipatests: Test that healthcheck detects and reports expiration
Set the date forward to while the certificates are still valid and
run healthcheck to confirm that an appropriate warning is made.
This validates two separate checks, one that relies on certmonger
to report expiration and one that relies on the data on disk to
determine expiration in case certmonger is out-of-date for some
reason (belt and suspenders).
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4949/head:pr4949
git checkout pr4949
From 0be7761faa583af97b5d93d7c7dde87b167a77bc Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 28 Jul 2020 11:47:14 -0400
Subject: [PATCH 1/2] ipatests: Test that healthcheck detects and reports
expiration
Set the date forward to while the certificates are still valid and
run healthcheck to confirm that an appropriate warning is made.
This validates two separate checks, one that relies on certmonger
to report expiration and one that relies on the data on disk to
determine expiration in case certmonger is out-of-date for some
reason (belt and suspenders).
Signed-off-by: Rob Crittenden <rcrit...@redhat.com>
---
.../test_integration/test_ipahealthcheck.py | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 729a685284..790d6ef1da 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -7,12 +7,14 @@
from __future__ import absolute_import
+from datetime import datetime, timedelta
import json
import re
import pytest
from ipalib import api
+from ipalib import x509
from ipapython.ipaldap import realm_to_serverid
from ipatests.pytest_ipa.integration import tasks
from ipaplatform.paths import paths
@@ -760,6 +762,63 @@ def test_chainexpiration_check_without_cert(self, move_ipa_ca_crt):
assert check["kw"]["error"] == error_text
assert check["kw"]["msg"] == msg_text
+ def test_ipa_healthcheck_expiring(self):
+ """
+ There are two overlapping tests for expiring certs, check both.
+ """
+
+ def execute_expiring_check(check):
+ """
+ Test that certmonger will report warnings if expiration is near
+ """
+
+ returncode, data = run_healthcheck(
+ self.master,
+ "ipahealthcheck.ipa.certs",
+ check,
+ )
+
+ assert returncode == 1
+ assert len(data) == 9 # non-KRA is 9 tracked certs
+
+ for check in data:
+ if check["result"] == "SUCCESS":
+ # The CA is not expired
+ request = self.master.run_command(
+ ["getcert", "list", "-i", check["kw"]["key"]]
+ )
+ assert "caSigningCert cert-pki-ca" in request.stdout_text
+ else:
+ assert check["result"] == "WARNING"
+ if check["kw"]["days"] == 20:
+ # the httpd, 389-ds and KDC renewal dates are later
+ certs = (paths.HTTPD_CERT_FILE, paths.KDC_CERT,
+ '/etc/dirsrv/slapd-',)
+ request = self.master.run_command(
+ ["getcert", "list", "-i", check["kw"]["key"]]
+ )
+ assert any(cert in request.stdout_text
+ for cert in certs)
+ else:
+ assert check["kw"]["days"] == 9
+
+ # Pick a cert to find the upcoming expiration
+ certfile = self.master.get_file_contents(paths.RA_AGENT_PEM)
+ cert = x509.load_certificate_list(certfile)
+ cert_expiry = cert[0].not_valid_after
+
+ # move date to the grace period
+ self.master.run_command(['systemctl', 'stop', 'chronyd'])
+ grace_date = cert_expiry - timedelta(days=10)
+ grace_date = datetime.strftime(grace_date, "%Y-%m-%d %H:%M:%S")
+ self.master.run_command(['date', '-s', grace_date])
+
+ for check in ("IPACertmongerExpirationCheck",
+ "IPACertfileExpirationCheck",):
+ execute_expiring_check(check)
+
+ self.master.run_command(['systemctl', 'start', 'chronyd'])
+
def test_ipa_healthcheck_remove(self):
"""
This testcase checks the removal of of healthcheck tool
From 9bc2042c497fa18f350152cd134b0177c43e770d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 28 Jul 2020 16:26:54 -0400
Subject: [PATCH 2/2] Temp commit
---
.freeipa-pr-ci.yaml | 2 +-
ipatests/prci_definitions/temp_commit.yaml | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 120000
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index e337068145..855b273e83 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -68,7 +68,7 @@ jobs:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
- test_suite: test_integration/test_REPLACEME.py
+ test_suite: test_integration/test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
template: *ci-master-latest
- timeout: 3600
+ timeout: 4800
topology: *master_1repl_1client
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
