Test for 7526

Add a test for issue 7526: install a client with a bulk enrollment password, enrolling to an externally-signed CA master. Without the fix, the master does not publish the whole cert chain in /usr/share/ipa/html/ca.crt. As the client installer downloads the cert from this location, client installation fails. With the fix, the whole cert chain is available and client installation succeeds. The test_external_ca.py::TestExternalCA now requires 1 replica and 1 client, updated .freeipa-pr-ci.yaml accordingly. Also removed the annotation @tasks.collect_logs from test_external_ca as it messes with test ordering (and the test collects logs even without this annotation). Related to: https://pagure.io/freeipa/issue/7526 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-01-27 00:26:33 -06:00 · 2018-05-18 17:39:51 +02:00 · 2018-05-18 17:39:51 +02:00 · 1d70ce850e
commit 1d70ce850e
parent af99032d90
2 changed files with 27 additions and 3 deletions
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@ -61,7 +61,7 @@ jobs:
        test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall
        template: *ci-master-f28
        timeout: 3600
-        topology: *master_1repl
+        topology: *master_1repl_1client

  fedora-28/test_topologies:
    requires: [fedora-28/build]
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@ -109,11 +109,11 @@ def service_control_dirsrv(host, function):

 class TestExternalCA(IntegrationTest):
    """
-    Test of FreeIPA server installation with exernal CA
+    Test of FreeIPA server installation with external CA
    """
    num_replicas = 1
+    num_clients = 1

-    @tasks.collect_logs
    def test_external_ca(self):
        # Step 1 of ipa-server-install.
        result = install_server_external_ca_step1(self.master)
@ -136,6 +136,30 @@ class TestExternalCA(IntegrationTest):
        # check that we can also install replica
        tasks.install_replica(self.master, self.replicas[0])

+    def test_client_installation_with_otp(self):
+        # Test for issue 7526: client installation fails with one-time
+        # password when the master is installed with an externally signed
+        # CA because the whole cert chain is not published in
+        # /usr/share/ipa/html/ca.crt
+
+        # Create a random password for the client
+        client = self.clients[0]
+        client_pwd = 'Secret123'
+        args = ['ipa',
+                'host-add', client.hostname,
+                '--ip-address', client.ip,
+                '--no-reverse',
+                '--password', client_pwd]
+        self.master.run_command(args)
+
+        # Enroll the client with the client_pwd
+        client.run_command(
+            ['ipa-client-install',
+             '--domain', self.master.domain.name,
+             '--server', self.master.hostname,
+             '-w', client_pwd,
+             '-U'])
+

 class TestSelfExternalSelf(IntegrationTest):
    """