From 16057898af69ee795c9c2871ce5936a49d108e1c Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan Date: Wed, 9 Jun 2021 16:38:32 +0530 Subject: [PATCH] ipatest: Test ipa-cert-fix fails when startup directive is missing from CS.cfg This test checks that if 'selftests.container.order.startup' directive is missing from CS.cfg, ipa-cert-fix fails and throw proper error message. It also checks that underlying command 'pki-server cert-fix' should fail to renew the cert. related: https://pagure.io/freeipa/issue/8721 Signed-off-by: Mohammad Rizwan Reviewed-By: Rob Crittenden --- .../test_integration/test_ipa_cert_fix.py | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py index 6d5d8a058..212156a00 100644 --- a/ipatests/test_integration/test_ipa_cert_fix.py +++ b/ipatests/test_integration/test_ipa_cert_fix.py @@ -93,6 +93,17 @@ class TestIpaCertFix(IntegrationTest): # the fixture pass + @pytest.fixture + def expire_ca_cert(self): + tasks.install_master(self.master, setup_dns=False, + extra_args=['--no-ntp']) + move_date(self.master, 'stop', '+20Years+1day') + + yield + + tasks.uninstall_master(self.master) + move_date(self.master, 'start', '-20Years-1day') + def test_missing_csr(self, expire_cert_critical): """ Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg @@ -192,6 +203,53 @@ class TestIpaCertFix(IntegrationTest): raiseonerr=False) assert result.returncode == 2 + def test_missing_startup(self, expire_cert_critical): + """ + Test ipa-cert-fix fails when startup directive is missing from CS.cfg + + This test checks that if 'selftests.container.order.startup' directive + is missing from CS.cfg, ipa-cert-fix fails and throw proper error + message. It also checks that underlying command 'pki-server cert-fix' + should fail to renew the cert. + + related: https://pagure.io/freeipa/issue/8721 + """ + expire_cert_critical(self.master) + # pki must be stopped in order to edit CS.cfg + self.master.run_command(['ipactl', 'stop']) + self.master.run_command([ + 'sed', '-i', r'/selftests\.container\.order\.startup/d', + paths.CA_CS_CFG_PATH + ]) + # dirsrv needs to be up in order to run ipa-cert-fix + self.master.run_command(['ipactl', 'start', + '--ignore-service-failures']) + + result = self.master.run_command(['ipa-cert-fix', '-v'], + stdin_text='yes\n', + raiseonerr=False) + err_msg1 = "ERROR: 'selftests.container.order.startup'" + # check that pki-server cert-fix command fails + err_msg2 = ("ERROR: CalledProcessError(Command " + "['pki-server', 'cert-fix'") + assert err_msg1 and err_msg2 in result.stderr_text + + def test_expired_CA_cert(self, expire_ca_cert): + """Test to check ipa-cert-fix when CA certificate is expired + + In order to fix expired certs using ipa-cert-fix, CA cert should be + valid. If CA cert expired, ipa-cert-fix won't work. + + related: https://pagure.io/freeipa/issue/8721 + """ + result = self.master.run_command(['ipa-cert-fix', '-v'], + stdin_text='yes\n', + raiseonerr=False) + # check that pki-server cert-fix command fails + err_msg = ("ERROR: CalledProcessError(Command " + "['pki-server', 'cert-fix'") + assert err_msg in result.stderr_text + class TestIpaCertFixThirdParty(CALessBase): """