ipatests: Healthcheck use subject base from IPA not REALM

Test if healthcheck uses cert subject base from IPA and not from REALM. This prevents false-positive errors when the subject base is customized. Related: https://github.com/freeipa/freeipa-healthcheck/issues/253 Signed-off-by: Michal Polovka <mpolovka@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-06-01 12:31:33 +02:00 · 2022-06-01 12:31:33 +02:00 · d3c11f7627
commit d3c11f7627
parent bd57ff3566
1 changed files with 62 additions and 0 deletions
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@ -2885,3 +2885,65 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest):
                assert check["kw"]["msg"] == error_msg
            else:
                assert error_reason in check["kw"]["msg"]
 class TestIpaHealthCheckSingleMaster(IntegrationTest):
    @classmethod
    def install(cls, mh):
        # Nota Bene: The ipa server is not installed
        tasks.install_packages(cls.master, HEALTHCHECK_PKG)
    def test_ipahealthcheck_mismatching_certificates_subject(self):
        """
        Test if healthcheck uses cert subject base from IPA and not from
        REALM. This prevents false-positive errors when the subject base is
        customized.
        Related: https://github.com/freeipa/freeipa-healthcheck/issues/253
        """
        # install master with custom cert subject base
        tasks.install_master(
            self.master,
            setup_dns=True,
            extra_args=[
                '--no-dnssec-validation',
                '--subject-base=O=LINUX.IS.GREAT,C=EU'
            ]
        )
        try:
            returncode, data = run_healthcheck(
                self.master,
                source="ipahealthcheck.ipa.certs",
                check="IPADogtagCertsMatchCheck",
                failures_only=True)
            assert returncode == 0
            assert len(data) == 0
        finally:
            # uninstall server for the next step
            tasks.uninstall_master(self.master)
        # install master with custom CA certificate subject DN
        tasks.install_master(
            self.master,
            setup_dns=True,
            extra_args=[
                '--no-dnssec-validation',
                '--ca-subject=CN=Healthcheck test,O=LINUX.IS.GREAT'
            ]
        )
        try:
            returncode, data = run_healthcheck(
                self.master,
                source="ipahealthcheck.ipa.certs",
                check="IPADogtagCertsMatchCheck",
                failures_only=True)
            assert returncode == 0
            assert len(data) == 0
        finally:
            # cleanup
            tasks.uninstall_master(self.master)