URL: https://github.com/freeipa/freeipa/pull/5404 Author: flo-renaud Title: #5404: [Backport][ipa-4-8] Include the CA profile when modifying request in ipa_certupdate Action: opened
PR body: """ This PR was opened automatically because PR #5393 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5404/head:pr5404 git checkout pr5404
From 483ccc0ade1bd80a575691a6a535addd60b5a8dc Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 4 Jan 2021 17:01:33 -0500 Subject: [PATCH 1/2] Don't change the CA profile when modifying request in ipa_certupdate The CA tracking request is modified (it calls renew but it doesn't actually do a renewal) as part of ipa-certupdate and it dropped the profile. ipa-healthcheck discovered this condition. https://pagure.io/freeipa/issue/8644 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaclient/install/ipa_certupdate.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py index d8d65f26b24..9cf1e954b81 100644 --- a/ipaclient/install/ipa_certupdate.py +++ b/ipaclient/install/ipa_certupdate.py @@ -171,7 +171,7 @@ def update_server(certs): # logger.debug("resubmitting certmonger request '%s'", request_id) certmonger.resubmit_request( - request_id, ca='dogtag-ipa-ca-renew-agent-reuse', profile='') + request_id, ca='dogtag-ipa-ca-renew-agent-reuse') try: state = certmonger.wait_for_request(request_id, timeout) except RuntimeError: From eeb78eaf7da7e46d7ef91014292816da8f52ac9d Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 4 Jan 2021 17:03:39 -0500 Subject: [PATCH 2/2] ipatests: test that no errors are reported after ipa-certupdate The CA tracking request was modified to drop the profile which was caught by ipa-healthcheck. Run ipa-certupdate then ipa-healthcheck to confirm that no problems are introduced. https://pagure.io/freeipa/issue/8644 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipatests/test_integration/test_ipahealthcheck.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py index 3e6614511ce..361b19c1370 100644 --- a/ipatests/test_integration/test_ipahealthcheck.py +++ b/ipatests/test_integration/test_ipahealthcheck.py @@ -280,6 +280,20 @@ def test_human_output(self, restart_service): assert output == \ "ERROR: ipahealthcheck.meta.services.sssd: sssd: not running" + def test_ipa_healthcheck_after_certupdate(self): + """ + Verify that ipa-certupdate hasn't messed up tracking + + ipa-certupdate was dropping the profile value from the CA + signing cert tracking. ipa-healthcheck discovered this. + + Run ipa-healthcheck after ipa-certupdate to ensure that + no problems are discovered. + """ + self.master.run_command([paths.IPA_CERTUPDATE]) + returncode, _data = run_healthcheck(self.master) + assert returncode == 0 + def test_dogtag_ca_check_exists(self): """ Testcase to verify checks available in
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
