From fd222273a544f9e8c7a1749ff797880db7edbf25 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 25 Nov 2024 13:14:50 +0100
Subject: [PATCH 1/2] ipatests: pruning is enabled by default with LMDB

The test test_acme.py::TestACMEPrune::test_enable_pruning expects
certificate pruning to be disabled by default. That assumption
is valid only if the backend is BDB (if the backend is LMDB,
RSNv3 + cert pruning are enabled by default).

Update the test to be consistent with the new defaults.

Fixes: https://pagure.io/freeipa/issue/9706

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipatests/test_integration/test_acme.py | 37 +++++++++++++++++---------
 1 file changed, 25 insertions(+), 12 deletions(-)

diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index 4032d266a8d..709d9071582 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -17,6 +17,7 @@
 )
 from ipaplatform.osinfo import osinfo
 from ipaplatform.paths import paths
+from ipapython.dn import DN
 from ipatests.test_integration.test_external_ca import (
     install_server_external_ca_step1,
     install_server_external_ca_step2,
@@ -144,6 +145,15 @@ def certbot_standalone_cert(host, acme_server, no_of_cert=1):
         )
 
 
+def get_389ds_backend(host):
+    """ Return the backend type used by 389ds (either 'bdb' or 'lmdb')"""
+    conn = host.ldap_connect()
+    entry = conn.get_entry(
+        DN('cn=config,cn=ldbm database,cn=plugins,cn=config'))
+    backend = entry.single_value.get('nsslapd-backend-implement')
+    return backend
+
+
 class TestACME(CALessBase):
     """
     Test the FreeIPA ACME service by using ACME clients on a FreeIPA client.
@@ -397,21 +407,22 @@ def test_centralize_acme_disable(self):
         assert status == 'disabled'
 
     def test_acme_pruning_no_random_serial(self):
-        """This ACME install is configured without random serial
+        """BDB install is configured without random serial
            numbers. Verify that we can't enable pruning on it.
-
-           This test is located here because by default installs
-           don't enable RSNv3.
         """
         if (tasks.get_pki_version(self.master)
            < tasks.parse_version('11.3.0')):
             raise pytest.skip("Certificate pruning is not available")
         self.master.run_command(['ipa-acme-manage', 'enable'])
-        result = self.master.run_command(
-            ['ipa-acme-manage', 'pruning', '--enable'],
-            raiseonerr=False)
-        assert result.returncode == 1
-        assert "requires random serial numbers" in result.stderr_text
+
+        # This test is only relevant with BDB backend
+        # as with LMDB, the installer now enable RSNv3 and cert pruning
+        if get_389ds_backend(self.master) == 'bdb':
+            result = self.master.run_command(
+                ['ipa-acme-manage', 'pruning', '--enable'],
+                raiseonerr=False)
+            assert result.returncode == 1
+            assert "requires random serial numbers" in result.stderr_text
 
     @server_install_teardown
     def test_third_party_certs(self):
@@ -707,10 +718,12 @@ def test_enable_pruning(self):
         if (tasks.get_pki_version(self.master)
            < tasks.parse_version('11.3.0')):
             raise pytest.skip("Certificate pruning is not available")
-        cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
-        assert "jobsScheduler.job.pruning.enabled=false".encode() in cs_cfg
 
-        self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
+        # Pruning is enabled by default when the host supports lmdb
+        if get_389ds_backend(self.master) == 'bdb':
+            cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
+            assert "jobsScheduler.job.pruning.enabled=false".encode() in cs_cfg
+            self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
 
         cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
         assert "jobsScheduler.enabled=true".encode() in cs_cfg

From c8befc9f46b43aec748ede33236ca4f77b2356c6 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 26 Nov 2024 09:40:53 +0100
Subject: [PATCH 2/2] webuitests: adapt to Random Serial Numbers

The webui tests were written for sequential serial numbers
and expect the certs to be issued with low serial numbers.
Adapt to Random Serial Numbers.

Fixes:https://pagure.io/freeipa/issue/9707
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipatests/test_webui/test_cert.py | 39 +++++++++++++++++++++++++++++---
 1 file changed, 36 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_webui/test_cert.py b/ipatests/test_webui/test_cert.py
index 7a8ffde917c..0dc276555b2 100644
--- a/ipatests/test_webui/test_cert.py
+++ b/ipatests/test_webui/test_cert.py
@@ -93,6 +93,14 @@ def _add_and_revoke_cert(self, reason='1'):
         csr = generate_csr(hostname)
 
         self.navigate_to_entity(ENTITY)
+
+        # Save the existing cert serials before the new one is added
+        # the test will compare before/after in order to find the serial
+        # of the newly generated certificate
+        result = self.execute_api_from_ui('cert_find', [], {})
+        certs = result['result']['result']
+        before = [cert["serial_number"] for cert in certs]
+
         self.facet_button_click('request_cert')
         self.fill_textbox('principal', 'HTTP/{}'.format(hostname))
         self.check_option('add', 'checked')
@@ -100,8 +108,17 @@ def _add_and_revoke_cert(self, reason='1'):
         self.dialog_button_click('issue')
         self.assert_notification(assert_text='Certificate requested')
         self.navigate_to_entity(ENTITY)
+
+        # Save the existing cert serials after the new one is added
+        result = self.execute_api_from_ui('cert_find', [], {})
+        certs = result['result']['result']
+        after = [cert["serial_number"] for cert in certs]
+        new_serial = [serial for serial in after if serial not in before]
+        # Find the cert that was jsut generated
+        index = after.index(new_serial[0])
+
         rows = self.get_rows()
-        cert = rows[-1]
+        cert = rows[index]
 
         self.navigate_to_row_record(cert)
         self.action_list_action('revoke_cert', False)
@@ -212,10 +229,18 @@ def test_search_minimum_serial(self):
         # try searching using -1
         check_minimum_serial(self, '-1', 'min_serial_number')
 
+        # Find the highest serial number and add 1 to be sure there is no
+        # cert with a higher serial number
+        result = self.execute_api_from_ui('cert_find', [], {})
+        certs = result['result']['result']
+        serials = [int(cert["serial_number_hex"], 0) for cert in certs]
+        serials.sort()
+        highest_serial = str(serials[-1] + 1)
+
         # try using higher value than no. of certs present
         self.navigate_to_entity(ENTITY)
         self.select('select[name=search_option]', 'min_serial_number')
-        search_pkey(self, '99')
+        search_pkey(self, highest_serial)
         rows = self.get_rows()
         assert len(rows) == 0
 
@@ -226,8 +251,16 @@ def test_search_maximum_serial(self):
         """
         self.init_app()
         self.navigate_to_entity(ENTITY)
+
+        # Find the second lowest serial number
+        result = self.execute_api_from_ui('cert_find', [], {})
+        certs = result['result']['result']
+        serials = [int(cert["serial_number_hex"], 0) for cert in certs]
+        serials.sort()
+        second_serial = str(serials[1])
+
         self.select('select[name=search_option]', 'max_serial_number')
-        search_pkey(self, '2')
+        search_pkey(self, second_serial)
         rows = self.get_rows()
         assert len(rows) == 2