From 46f114d9e751b2a092b975b909f0e890257a507d Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Nov 20 2020 20:19:24 +0000
Subject: ipatests: Tests for ipahealthcheck.ds.nss_ssl


test_nsscheck_cert_expiring is moved under test_ipa_healthcheck_expiring

This patch checks that the 'ipahealthcheck.ds.nss_ssl' check in
healthcheck tool reports the correct status for the "Server-Cert"
about to expire and already expired respectively.

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 350d7f2..73adf55 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -1138,11 +1138,58 @@ class TestIpaHealthCheck(IntegrationTest):
                 assert "cn=config" in check["kw"]["items"]
                 assert error_msg in check["kw"]["msg"]
 
+    @pytest.fixture
+    def expire_cert_critical(self):
+        """
+        Fixture to expire the cert by moving the system date using
+        date -s command and revert it back
+        """
+        self.master.run_command(['date','-s', '+3Years'])
+        yield
+        self.master.run_command(['date','-s', '-3Years'])
+        self.master.run_command(['ipactl', 'restart'])
+
+    def test_nsscheck_cert_expired(self, expire_cert_critical):
+        """
+        This test checks that critical message is displayed
+        for NssCheck when Server-Cert has expired
+        """
+        msg = "The certificate (Server-Cert) has expired"
+        returncode, data = run_healthcheck(
+            self.master, "ipahealthcheck.ds.nss_ssl", "NssCheck",
+        )
+        assert returncode == 1
+        for check in data:
+            assert check["result"] == "CRITICAL"
+            assert check["kw"]["key"] == "DSCERTLE0002"
+            assert "Expired Certificate" in check["kw"]["items"]
+            assert check["kw"]["msg"] == msg
+
+
     def test_ipa_healthcheck_expiring(self, restart_service):
         """
         There are two overlapping tests for expiring certs, check both.
         """
 
+        def execute_nsscheck_cert_expiring(check):
+            """
+            This test checks that error message is displayed
+            for NssCheck when 'Server-Cert' is about to expire
+            """
+            msg = (
+                "The certificate (Server-Cert) will "
+                "expire in less than 30 days"
+            )
+            returncode, data = run_healthcheck(
+                self.master, "ipahealthcheck.ds.nss_ssl", "NssCheck",
+            )
+            assert returncode == 1
+            for check in data:
+                assert check["result"] == "ERROR"
+                assert check["kw"]["key"] == "DSCERTLE0001"
+                assert "Expiring Certificate" in check["kw"]["items"]
+                assert check["kw"]["msg"] == msg
+
         def execute_expiring_check(check):
             """
             Test that certmonger will report warnings if expiration is near
@@ -1200,6 +1247,8 @@ class TestIpaHealthCheck(IntegrationTest):
                           "IPACertfileExpirationCheck",):
                 execute_expiring_check(check)
 
+            execute_nsscheck_cert_expiring(check)
+
         finally:
             # After restarting chronyd, the date may need some time to get
             # synced. Help chrony by resetting the date