From 678b8e682b37daa5217c0098cd6ce42c324b3955 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 25 Jun 2020 15:00:03 +1000
Subject: [PATCH] acme: add certbot dns-01 test

Add a test for the dns-01 challenge using Certbot.  This test uses
the new hook scripts distributed in the freeipa-client package.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipatests/test_integration/test_acme.py | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index b415487be..feb54a84a 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -23,6 +23,8 @@ skip_certbot_tests = osinfo.id not in ['fedora',]
 # RHEL version has the patches.
 skip_mod_md_tests = osinfo.id not in ['rhel',]
 
+CERTBOT_DNS_IPA_SCRIPT = '/usr/libexec/ipa/acme/certbot-dns-ipa'
+
 
 class TestACME(IntegrationTest):
     """
@@ -32,14 +34,12 @@ class TestACME(IntegrationTest):
 
         * service enable/disable (using Curl)
         * http-01 challenge with Certbot's standalone HTTP server
+        * dns-01 challenge with Certbot and FreeIPA DNS via hook scripts
         * revocation with Certbot
         * http-01 challenge with mod_md
 
     Tests we should add:
 
-        * dns-01 challenge with Certbot and FreeIPA DNS
-          (see https://frasertweedale.github.io
-            /blog-redhat/posts/2020-05-13-ipa-acme-dns.html for details.)
         * dns-01 challenge with mod_md (see
           https://httpd.apache.org/docs/current/mod/mod_md.html#mdchallengedns01)
 
@@ -169,6 +169,26 @@ class TestACME(IntegrationTest):
         )
         assert 'revocation_reason:' in result.stdout_text
 
+    @pytest.mark.skipif(skip_certbot_tests, reason='certbot not available')
+    def test_certbot_dns(self):
+        # Assume previous revoke operation succeeded and cert was deleted.
+        # We can now request a new certificate.
+
+        # Get a cert from ACME service using dns-01 challenge and Certbot's
+        # standalone HTTP server mode
+        self.clients[0].run_command([
+            'certbot',
+            '--server', self.acme_server,
+            'certonly',
+            '--non-interactive',
+            '--domain', self.clients[0].hostname,
+            '--preferred-challenges', 'dns',
+            '--manual',
+            '--manual-public-ip-logging-ok',
+            '--manual-auth-hook', CERTBOT_DNS_IPA_SCRIPT,
+            '--manual-cleanup-hook', CERTBOT_DNS_IPA_SCRIPT,
+        ])
+
     ##############
     # mod_md tests
     ##############