[Freeipa-devel] [freeipa PR#4990][opened] ipatests: Test healthcheck revocation checker

[rcritten via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/4990
Author: rcritten
 Title: #4990: ipatests: Test healthcheck revocation checker
Action: opened

PR body:
"""
Revoke the Apache certificate and ensure that healthcheck properly
reports the problem.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4990/head:pr4990
git checkout pr4990

From 9572c52dab940bbfa95c006cb37faef0cc68b154 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 4 Aug 2020 20:25:57 -0400
Subject: [PATCH 1/2] ipatests: Test healthcheck revocation checker

Revoke the Apache certificate and ensure that healthcheck properly
reports the problem.
---
 .../test_integration/test_ipahealthcheck.py   | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 6adb6c463b..cf406f56c0 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -21,6 +21,7 @@
 from ipatests.pytest_ipa.integration import tasks
 from ipaplatform.paths import paths
 from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
 
 HEALTHCHECK_LOG = "/var/log/ipa/healthcheck/healthcheck.log"
 HEALTHCHECK_SYSTEMD_FILE = (
@@ -645,6 +646,43 @@ def test_ipa_healthcheck_ds_ruv_check(self):
             ruvs.remove(check["kw"]["ruv"])
         assert not ruvs
 
+    def test_ipa_healthcheck_revocation(self):
+        """
+        Ensure that healthcheck reports when IPA certs are revoked.
+        """
+        error_msg = (
+            "Certificate tracked by {key} is revoked {revocation_reason}"
+        )
+
+        result = self.master.run_command(
+            ["getcert", "list", "-f", paths.HTTPD_CERT_FILE]
+        )
+        request_id = get_certmonger_fs_id(result.stdout_text)
+
+        # Revoke the web cert
+        certfile = self.master.get_file_contents(paths.HTTPD_CERT_FILE)
+        cert = x509.load_certificate_list(certfile)
+        serial = cert[0].serial_number
+        self.master.run_command(["ipa", "cert-revoke", str(serial)])
+
+        # re-run to confirm
+        returncode, data = run_healthcheck(
+            self.master,
+            "ipahealthcheck.ipa.certs",
+            "IPACertRevocation"
+        )
+
+        assert returncode == 1
+        assert len(data) == 12
+
+        for check in data:
+            if check["kw"]["key"] == request_id:
+                assert check["result"] == "ERROR"
+                assert check["kw"]["revocation_reason"] == "unspecified"
+                assert check["kw"]["msg"] == error_msg
+            else:
+                assert check["result"] == "SUCCESS"
+
     def test_ipa_healthcheck_without_trust_setup(self):
         """
         This testcase checks that when trust isn't setup between IPA

From e6af39dc22d3ef06f6fa5f9df93e26fd72ad5d6a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 4 Aug 2020 20:28:17 -0400
Subject: [PATCH 2/2] Temp commit

---
 .freeipa-pr-ci.yaml                        | 2 +-
 ipatests/prci_definitions/temp_commit.yaml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 120000
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index e337068145..8a648080c1 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -68,7 +68,7 @@ jobs:
       class: RunPytest
       args:
         build_url: '{fedora-latest/build_url}'
-        test_suite: test_integration/test_REPLACEME.py
+        test_suite: test_integration/test_ipahealthcheck.py::TestIpaHealthCheck
         template: *ci-master-latest
-        timeout: 3600
+        timeout: 4800
         topology: *master_1repl_1client

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org