[Freeipa-devel] [freeipa PR#5847][opened] [Backport][ipa-4-9] ipatest: Test ipa-cert-fix fails when startup directive is missing from CS.cfg

Fri, 18 Jun 2021 07:50:35 -0700 

   URL: https://github.com/freeipa/freeipa/pull/5847
Author: rcritten
 Title: #5847: [Backport][ipa-4-9] ipatest: Test ipa-cert-fix fails when 
startup directive is missing from CS.cfg
Action: opened

PR body:
"""
This PR was opened automatically because PR #5821 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5847/head:pr5847
git checkout pr5847

From a238557e29f98d1af63257ff5f627e5698709324 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myu...@redhat.com>
Date: Wed, 9 Jun 2021 16:38:32 +0530
Subject: [PATCH] ipatest: Test ipa-cert-fix fails when startup directive is
 missing from CS.cfg

This test checks that if 'selftests.container.order.startup' directive
is missing from CS.cfg, ipa-cert-fix fails and throw proper error
message. It also checks that underlying command 'pki-server cert-fix'
should fail to renew the cert.

related: https://pagure.io/freeipa/issue/8721

Signed-off-by: Mohammad Rizwan <myu...@redhat.com>
---
 .../test_integration/test_ipa_cert_fix.py     | 58 +++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index b2e92d4dcac..496a96486a6 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -82,6 +82,17 @@ def uninstall(cls, mh):
         # the fixture
         pass
 
+    @pytest.fixture
+    def expire_ca_cert(self):
+        tasks.install_master(self.master, setup_dns=False,
+                             extra_args=['--no-ntp'])
+        move_date(self.master, 'stop', '+20Years+1day')
+
+        yield
+
+        tasks.uninstall_master(self.master)
+        move_date(self.master, 'start', '-20Years-1day')
+
     def test_missing_csr(self, expire_cert_critical):
         """
         Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
@@ -180,6 +191,53 @@ def test_ipa_cert_fix_non_ipa(self):
                                          raiseonerr=False)
         assert result.returncode == 2
 
+    def test_missing_startup(self, expire_cert_critical):
+        """
+        Test ipa-cert-fix fails when startup directive is missing from CS.cfg
+
+        This test checks that if 'selftests.container.order.startup' directive
+        is missing from CS.cfg, ipa-cert-fix fails and throw proper error
+        message. It also checks that underlying command 'pki-server cert-fix'
+        should fail to renew the cert.
+
+        related: https://pagure.io/freeipa/issue/8721
+        """
+        expire_cert_critical(self.master)
+        # pki must be stopped in order to edit CS.cfg
+        self.master.run_command(['ipactl', 'stop'])
+        self.master.run_command([
+            'sed', '-i', r'/selftests\.container\.order\.startup/d',
+            paths.CA_CS_CFG_PATH
+        ])
+        # dirsrv needs to be up in order to run ipa-cert-fix
+        self.master.run_command(['ipactl', 'start',
+                                 '--ignore-service-failures'])
+
+        result = self.master.run_command(['ipa-cert-fix', '-v'],
+                                         stdin_text='yes\n',
+                                         raiseonerr=False)
+        err_msg1 = "ERROR: 'selftests.container.order.startup'"
+        # check that pki-server cert-fix command fails
+        err_msg2 = ("ERROR: CalledProcessError(Command "
+                    "['pki-server', 'cert-fix'")
+        assert err_msg1 and err_msg2 in result.stderr_text
+
+    def test_expired_CA_cert(self, expire_ca_cert):
+        """Test to check ipa-cert-fix when CA certificate is expired
+
+        In order to fix expired certs using ipa-cert-fix, CA cert should be
+        valid. If CA cert expired, ipa-cert-fix won't work.
+
+        related: https://pagure.io/freeipa/issue/8721
+        """
+        result = self.master.run_command(['ipa-cert-fix', '-v'],
+                                         stdin_text='yes\n',
+                                         raiseonerr=False)
+        # check that pki-server cert-fix command fails
+        err_msg = ("ERROR: CalledProcessError(Command "
+                   "['pki-server', 'cert-fix'")
+        assert err_msg in result.stderr_text
+
 
 class TestIpaCertFixThirdParty(CALessBase):
     """

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to