URL: https://github.com/freeipa/freeipa/pull/5913
Author: fcami
Title: #5913: [Backport][ipa-4-9] test_acme: make password renewal more robust
Action: opened
PR body:
"""
This PR was opened automatically because PR #5910 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5913/head:pr5913
git checkout pr5913
From 8eea96cb7124e0b40be025272aea7498b2eb8701 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fc...@redhat.com>
Date: Tue, 20 Jul 2021 20:19:16 +0200
Subject: [PATCH 1/2] test_acme: refactor with tasks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: François Cami <fc...@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 11 +++++++++++
ipatests/test_integration/test_acme.py | 19 ++++---------------
2 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 22c7ba7827b..c2e5486173b 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2800,3 +2800,14 @@ def is_package_installed(host, pkg):
'is_package_installed: unknown platform %s' % platform
)
return result.returncode == 0
+
+
+def move_date(host, chrony_cmd, date_str):
+ """Helper method to move system date
+ :param host: host on which date is to be manipulated
+ :param chrony_cmd: systemctl command to apply to
+ chrony service, for instance 'start', 'stop'
+ :param date_str: date string to change the date i.e '3years2months1day1'
+ """
+ host.run_command(['systemctl', chrony_cmd, 'chronyd'])
+ host.run_command(['date', '-s', date_str])
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index d90f1ff7d41..b4aa1b3512b 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -35,17 +35,6 @@
CERTBOT_DNS_IPA_SCRIPT = '/usr/libexec/ipa/acme/certbot-dns-ipa'
-def move_date(host, chrony_cmd, date_str):
- """Helper method to move system date
- :param host: host on which date is to be manipulated
- :param chrony_cmd: systemctl command to apply to
- chrony service, for instance 'start', 'stop'
- :param date_str: date string to change the date i.e '3years2months1day1'
- """
- host.run_command(['systemctl', chrony_cmd, 'chronyd'])
- host.run_command(['date', '-s', date_str])
-
-
def check_acme_status(host, exp_status, timeout=60):
"""Helper method to check the status of acme server"""
for _i in range(0, timeout, 5):
@@ -598,8 +587,8 @@ def issue_and_expire_cert(self):
)
# move system date to expire acme cert
for host in self.clients[0], self.master:
- host.run_command(['kdestroy', '-A'])
- move_date(host, 'stop', '+90days')
+ tasks.kdestroy_all(host)
+ tasks.move_date(host, 'stop', '+90days')
self.clients[0].run_command(
['kinit', 'admin'],
stdin_text=cmd_input.format(
@@ -611,8 +600,8 @@ def issue_and_expire_cert(self):
# move back date
for host in self.clients[0], self.master:
- host.run_command(['kdestroy', '-A'])
- move_date(host, 'start', '-90days')
+ tasks.kdestroy_all(host)
+ tasks.move_date(host, 'start', '-90days')
tasks.kinit_admin(host)
@pytest.mark.skipif(skip_certbot_tests, reason='certbot not available')
From c6f4e8f5e64da74ef6098e9c6e3634c6d5d8e8ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fc...@redhat.com>
Date: Tue, 20 Jul 2021 20:22:23 +0200
Subject: [PATCH 2/2] test_acme: make password renewal more robust
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A kinit immediately following a password change can fail.
Setting KRB5_TRACE and retrieving kdcinfo will help to understand
the cause of failure.
Fixes: https://pagure.io/freeipa/issue/8929
Signed-off-by: François Cami <fc...@redhat.com>
---
ipatests/test_integration/test_acme.py | 28 +++++++++++++-------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index b4aa1b3512b..10195a95f93 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -576,25 +576,25 @@ def issue_and_expire_cert(self):
# request a standalone acme cert
certbot_standalone_cert(self.clients[0], self.acme_server)
- cmd_input = (
- # Password for admin@{REALM}:
- "{pwd}\n"
- # Password expired. You must change it now.
- # Enter new password:
- "{pwd}\n"
- # Enter it again:
- "{pwd}\n"
- )
# move system date to expire acme cert
for host in self.clients[0], self.master:
tasks.kdestroy_all(host)
tasks.move_date(host, 'stop', '+90days')
- self.clients[0].run_command(
- ['kinit', 'admin'],
- stdin_text=cmd_input.format(
- pwd=self.clients[0].config.admin_password
- )
+
+ tasks.get_kdcinfo(host)
+ # Note raiseonerr=False:
+ # the assert is located after kdcinfo retrieval.
+ result = host.run_command(
+ "KRB5_TRACE=/dev/stdout kinit %s" % 'admin',
+ stdin_text='{0}\n{0}\n{0}\n'.format(
+ self.clients[0].config.admin_password
+ ),
+ raiseonerr=False
)
+ # Retrieve kdc.$REALM after the password change, just in case SSSD
+ # domain status flipped to online during the password change.
+ tasks.get_kdcinfo(host)
+ assert result.returncode == 0
yield
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
