Merge branch 'master' of https://github.com/freeipa/freeipa

ipatests/test_integration/test_acme.py

@@ -17,6 +17,7 @@
 )
 from ipaplatform.osinfo import osinfo
 from ipaplatform.paths import paths
+from ipapython.dn import DN
 from ipatests.test_integration.test_external_ca import (
     install_server_external_ca_step1,
     install_server_external_ca_step2,
@@ -144,6 +145,15 @@ def certbot_standalone_cert(host, acme_server, no_of_cert=1):
         )
 
 
+def get_389ds_backend(host):
+    """ Return the backend type used by 389ds (either 'bdb' or 'lmdb')"""
+    conn = host.ldap_connect()
+    entry = conn.get_entry(
+        DN('cn=config,cn=ldbm database,cn=plugins,cn=config'))
+    backend = entry.single_value.get('nsslapd-backend-implement')
+    return backend
+
+
 class TestACME(CALessBase):
     """
     Test the FreeIPA ACME service by using ACME clients on a FreeIPA client.
@@ -397,21 +407,22 @@ def test_centralize_acme_disable(self):
         assert status == 'disabled'
 
     def test_acme_pruning_no_random_serial(self):
-        """This ACME install is configured without random serial
+        """BDB install is configured without random serial
            numbers. Verify that we can't enable pruning on it.
-
-           This test is located here because by default installs
-           don't enable RSNv3.
         """
         if (tasks.get_pki_version(self.master)
            < tasks.parse_version('11.3.0')):
             raise pytest.skip("Certificate pruning is not available")
         self.master.run_command(['ipa-acme-manage', 'enable'])
-        result = self.master.run_command(
-            ['ipa-acme-manage', 'pruning', '--enable'],
-            raiseonerr=False)
-        assert result.returncode == 1
-        assert "requires random serial numbers" in result.stderr_text
+
+        # This test is only relevant with BDB backend
+        # as with LMDB, the installer now enable RSNv3 and cert pruning
+        if get_389ds_backend(self.master) == 'bdb':
+            result = self.master.run_command(
+                ['ipa-acme-manage', 'pruning', '--enable'],
+                raiseonerr=False)
+            assert result.returncode == 1
+            assert "requires random serial numbers" in result.stderr_text
 
     @server_install_teardown
     def test_third_party_certs(self):
@@ -707,10 +718,12 @@ def test_enable_pruning(self):
         if (tasks.get_pki_version(self.master)
            < tasks.parse_version('11.3.0')):
             raise pytest.skip("Certificate pruning is not available")
-        cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
-        assert "jobsScheduler.job.pruning.enabled=false".encode() in cs_cfg
 
-        self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
+        # Pruning is enabled by default when the host supports lmdb
+        if get_389ds_backend(self.master) == 'bdb':
+            cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
+            assert "jobsScheduler.job.pruning.enabled=false".encode() in cs_cfg
+            self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
 
         cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
         assert "jobsScheduler.enabled=true".encode() in cs_cfg

ipatests/test_webui/test_cert.py

@@ -93,15 +93,32 @@ def _add_and_revoke_cert(self, reason='1'):
         csr = generate_csr(hostname)
 
         self.navigate_to_entity(ENTITY)
+
+        # Save the existing cert serials before the new one is added
+        # the test will compare before/after in order to find the serial
+        # of the newly generated certificate
+        result = self.execute_api_from_ui('cert_find', [], {})
+        certs = result['result']['result']
+        before = [cert["serial_number"] for cert in certs]
+
         self.facet_button_click('request_cert')
         self.fill_textbox('principal', 'HTTP/{}'.format(hostname))
         self.check_option('add', 'checked')
         self.fill_textarea('csr', csr)
         self.dialog_button_click('issue')
         self.assert_notification(assert_text='Certificate requested')
         self.navigate_to_entity(ENTITY)
+
+        # Save the existing cert serials after the new one is added
+        result = self.execute_api_from_ui('cert_find', [], {})
+        certs = result['result']['result']
+        after = [cert["serial_number"] for cert in certs]
+        new_serial = [serial for serial in after if serial not in before]
+        # Find the cert that was jsut generated
+        index = after.index(new_serial[0])
+
         rows = self.get_rows()
-        cert = rows[-1]
+        cert = rows[index]
 
         self.navigate_to_row_record(cert)
         self.action_list_action('revoke_cert', False)
@@ -212,10 +229,18 @@ def test_search_minimum_serial(self):
         # try searching using -1
         check_minimum_serial(self, '-1', 'min_serial_number')
 
+        # Find the highest serial number and add 1 to be sure there is no
+        # cert with a higher serial number
+        result = self.execute_api_from_ui('cert_find', [], {})
+        certs = result['result']['result']
+        serials = [int(cert["serial_number_hex"], 0) for cert in certs]
+        serials.sort()
+        highest_serial = str(serials[-1] + 1)
+
         # try using higher value than no. of certs present
         self.navigate_to_entity(ENTITY)
         self.select('select[name=search_option]', 'min_serial_number')
-        search_pkey(self, '99')
+        search_pkey(self, highest_serial)
         rows = self.get_rows()
         assert len(rows) == 0
 
@@ -226,8 +251,16 @@ def test_search_maximum_serial(self):
         """
         self.init_app()
         self.navigate_to_entity(ENTITY)
+
+        # Find the second lowest serial number
+        result = self.execute_api_from_ui('cert_find', [], {})
+        certs = result['result']['result']
+        serials = [int(cert["serial_number_hex"], 0) for cert in certs]
+        serials.sort()
+        second_serial = str(serials[1])
+
         self.select('select[name=search_option]', 'max_serial_number')
-        search_pkey(self, '2')
+        search_pkey(self, second_serial)
         rows = self.get_rows()
         assert len(rows) == 2