From 2b669c52a566382eecbed1511640f647d54f5b55 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Jul 09 2018 18:15:18 +0000
Subject: Wait for client certificates


ipa-client-install --request-cert now waits until certmonger has
provided a host certificate. In case of an error, ipa-client-install no
longer pretents to success but fails with an error code.

The --request-cert option also ensures that certmonger is enabled and
running.

See: Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

---

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 1c971dd..be906c9 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -824,6 +824,7 @@ def configure_certmonger(
     cmonger = services.knownservices.certmonger
     try:
         cmonger.enable()
+        cmonger.start()
     except Exception as e:
         logger.error(
             "Failed to configure automatic startup of the %s daemon: %s",
@@ -835,19 +836,24 @@ def configure_certmonger(
     subject = str(DN(('CN', hostname), subject_base))
     passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
     try:
-        certmonger.request_cert(
+        certmonger.request_and_wait_for_cert(
             certpath=paths.IPA_NSSDB_DIR,
             storage='NSSDB',
             nickname='Local IPA host',
             subject=subject,
             dns=[hostname],
             principal=principal,
-            passwd_fname=passwd_fname
+            passwd_fname=passwd_fname,
+            resubmit_timeout=120,
+        )
+    except Exception as e:
+        logger.exception("certmonger request failed")
+        raise ScriptError(
+            "{} request for host certificate failed: {}".format(
+                cmonger.service_name, e
+            ),
+            rval=CLIENT_INSTALL_ERROR
         )
-    except Exception as ex:
-        logger.error(
-            "%s request for host certificate failed: %s",
-            cmonger.service_name, ex)
 
 
 def configure_sssd_conf(
diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py
index 3cd4655..3236cb5 100644
--- a/ipatests/test_integration/test_user_permissions.py
+++ b/ipatests/test_integration/test_user_permissions.py
@@ -142,10 +142,23 @@ class TestInstallClientNoAdmin(IntegrationTest):
         user_kinit = "%s\n%s\n%s\n" % (password, password, password)
         self.master.run_command(['kinit', username],
                                 stdin_text=user_kinit)
-        tasks.install_client(self.master, client, user=username,
-                             password=password)
+        tasks.install_client(
+            self.master, client,
+            extra_args=['--request-cert'],
+            user=username, password=password
+        )
         msg = "args=['/usr/bin/getent', 'passwd', '%s@%s']" % \
               (username, client.domain.name)
         install_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG,
                                                encoding='utf-8')
         assert msg in install_log
+
+        # check that user is able to request a host cert, too
+        result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
+        assert 'Local IPA host' in result.stdout_text
+        result = tasks.run_certutil(
+            client,
+            ['-K', '-f', paths.IPA_NSSDB_PWDFILE_TXT],
+            paths.IPA_NSSDB_DIR
+        )
+        assert 'Local IPA host' in result.stdout_text