ipatests: enhance TestSubCAkeyReplication

enhance the test suite so that it covers:
- deleting subCAs (disabling them first)
- checking what happens when creating a dozen+ subCAs at a time
- adding a subCA that already exists and expect failure

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>

ipatests/test_integration/test_replica_promotion.py

@@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest):
         SERVER_CERT_NICK: 'u,u,u',
     }
 
-    def add_subca(self, host, name, subject):
+    def add_subca(self, host, name, subject, raiseonerr=True):
         result = host.run_command([
             'ipa', 'ca-add', name,
             '--subject', subject,
-            '--desc', self.SUBCA_DESC,
-        ])
+            '--desc', self.SUBCA_DESC],
+            raiseonerr=raiseonerr
+        )
+        if raiseonerr:
+            assert "ipa: ERROR:" not in result.stderr_text
             auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
             return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
+        else:
+            assert "ipa: ERROR:" in result.stderr_text
+            assert result.returncode != 0
+            return result
+
+    def del_subca(self, host, name):
+        host.run_command([
+            'ipa', 'ca-disable', name
+        ])
+        result = host.run_command([
+            'ipa', 'ca-del', name
+        ])
+        assert "Deleted CA \"{}\"".format(name) in result.stdout_text
 
     def check_subca(self, host, name, cert_nick):
-        host.run_command(['ipa', 'ca-show', name])
+        result = host.run_command(['ipa', 'ca-show', name])
+        # ipa ca-show returns 0 even if the cert cannot be found locally.
+        assert "ipa: ERROR:" not in result.stderr_text
         tasks.run_certutil(
             host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR
         )
@@ -627,6 +645,30 @@ class TestSubCAkeyReplication(IntegrationTest):
         ssl = replica.run_command(ssl_cmd)
         assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text
 
+    def test_del_subca_master_on_replica(self):
+        self.del_subca(self.replicas[0], self.SUBCA_MASTER)
+
+    def test_del_subca_replica(self):
+        self.del_subca(self.replicas[0], self.SUBCA_REPLICA)
+
+    def test_scale_add_subca(self):
+        master = self.master
+        replica = self.replicas[0]
+
+        subcas = {}
+        for i in range(0, 16):
+            name = "_".join((self.SUBCA_MASTER, str(i)))
+            cn = "_".join((self.SUBCA_MASTER_CN, str(i)))
+            subcas[name] = self.add_subca(master, name, cn)
+            self.add_subca(master, name, cn, raiseonerr=False)
+
+        # give replication some time
+        time.sleep(15)
+
+        for name in subcas:
+            self.check_subca(replica, name, subcas[name])
+            self.del_subca(replica, name)
+
 
 class TestReplicaInstallCustodia(IntegrationTest):
     """