From d3c11f7627710ba5ba0f5b0dc1fe095bf0070598 Mon Sep 17 00:00:00 2001
From: Michal Polovka <mpolovka@redhat.com>
Date: Wed, 1 Jun 2022 12:31:33 +0200
Subject: [PATCH] ipatests: Healthcheck use subject base from IPA not REALM

Test if healthcheck uses cert subject base from IPA and not from
REALM. This prevents false-positive errors when the subject base is
customized.

Related: https://github.com/freeipa/freeipa-healthcheck/issues/253

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 .../test_integration/test_ipahealthcheck.py   | 62 +++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index a33fe4d0c..23af09f3a 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -2885,3 +2885,65 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest):
                 assert check["kw"]["msg"] == error_msg
             else:
                 assert error_reason in check["kw"]["msg"]
+
+
+class TestIpaHealthCheckSingleMaster(IntegrationTest):
+
+    @classmethod
+    def install(cls, mh):
+        # Nota Bene: The ipa server is not installed
+        tasks.install_packages(cls.master, HEALTHCHECK_PKG)
+
+    def test_ipahealthcheck_mismatching_certificates_subject(self):
+        """
+        Test if healthcheck uses cert subject base from IPA and not from
+        REALM. This prevents false-positive errors when the subject base is
+        customized.
+
+        Related: https://github.com/freeipa/freeipa-healthcheck/issues/253
+        """
+        # install master with custom cert subject base
+        tasks.install_master(
+            self.master,
+            setup_dns=True,
+            extra_args=[
+                '--no-dnssec-validation',
+                '--subject-base=O=LINUX.IS.GREAT,C=EU'
+            ]
+        )
+        try:
+            returncode, data = run_healthcheck(
+                self.master,
+                source="ipahealthcheck.ipa.certs",
+                check="IPADogtagCertsMatchCheck",
+                failures_only=True)
+
+            assert returncode == 0
+            assert len(data) == 0
+        finally:
+            # uninstall server for the next step
+            tasks.uninstall_master(self.master)
+
+        # install master with custom CA certificate subject DN
+        tasks.install_master(
+            self.master,
+            setup_dns=True,
+            extra_args=[
+                '--no-dnssec-validation',
+                '--ca-subject=CN=Healthcheck test,O=LINUX.IS.GREAT'
+            ]
+        )
+
+        try:
+            returncode, data = run_healthcheck(
+                self.master,
+                source="ipahealthcheck.ipa.certs",
+                check="IPADogtagCertsMatchCheck",
+                failures_only=True)
+
+            assert returncode == 0
+            assert len(data) == 0
+
+        finally:
+            # cleanup
+            tasks.uninstall_master(self.master)