URL: https://github.com/freeipa/freeipa/pull/5405 Author: flo-renaud Title: #5405: [Backport][ipa-4-9] Include the CA profile when modifying request in ipa_certupdate Action: opened
PR body: """ This PR was opened automatically because PR #5393 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5405/head:pr5405 git checkout pr5405
From e8e6c7f50502c5f86f4cc519b4c11902c32c1f7b Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 4 Jan 2021 17:01:33 -0500 Subject: [PATCH 1/2] Don't change the CA profile when modifying request in ipa_certupdate The CA tracking request is modified (it calls renew but it doesn't actually do a renewal) as part of ipa-certupdate and it dropped the profile. ipa-healthcheck discovered this condition. https://pagure.io/freeipa/issue/8644 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaclient/install/ipa_certupdate.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py index f6f2dec4dea..6311ffea9d9 100644 --- a/ipaclient/install/ipa_certupdate.py +++ b/ipaclient/install/ipa_certupdate.py @@ -188,7 +188,7 @@ def update_server(certs): # logger.debug("resubmitting certmonger request '%s'", request_id) certmonger.resubmit_request( - request_id, ca='dogtag-ipa-ca-renew-agent-reuse', profile='') + request_id, ca='dogtag-ipa-ca-renew-agent-reuse') try: state = certmonger.wait_for_request(request_id, timeout) except RuntimeError: From 28db654dab5c9e02882e3351128075fb3a95347c Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 4 Jan 2021 17:03:39 -0500 Subject: [PATCH 2/2] ipatests: test that no errors are reported after ipa-certupdate The CA tracking request was modified to drop the profile which was caught by ipa-healthcheck. Run ipa-certupdate then ipa-healthcheck to confirm that no problems are introduced. https://pagure.io/freeipa/issue/8644 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipatests/test_integration/test_ipahealthcheck.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py index bb198113efb..92ad1860e17 100644 --- a/ipatests/test_integration/test_ipahealthcheck.py +++ b/ipatests/test_integration/test_ipahealthcheck.py @@ -284,6 +284,20 @@ def test_human_output(self, restart_service): assert output == \ "ERROR: ipahealthcheck.meta.services.sssd: sssd: not running" + def test_ipa_healthcheck_after_certupdate(self): + """ + Verify that ipa-certupdate hasn't messed up tracking + + ipa-certupdate was dropping the profile value from the CA + signing cert tracking. ipa-healthcheck discovered this. + + Run ipa-healthcheck after ipa-certupdate to ensure that + no problems are discovered. + """ + self.master.run_command([paths.IPA_CERTUPDATE]) + returncode, _data = run_healthcheck(self.master) + assert returncode == 0 + def test_dogtag_ca_check_exists(self): """ Testcase to verify checks available in
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
