Add Certificate issuance test

This test creates a number of clients and enrolls them. Then it creates
a number of services for each client and runs ipa-getcert on all of
them.

This is to try to identify the number of simultaneous certificate
requests that the server can manage. There is no real effort to fully
synchronize the requests since in reality they all won't fire at the
same time either.

There is one additional tuning option, the WSGI processes, which is not
exposed on the command-line. This can be tuned directly in the constants
file.

Signed-off-by: Rob Crittenden <[email protected]>

README.md

@@ -193,6 +193,31 @@ ipaperftest --test GroupSizeTest --threads 1500
 ipaperftest --test GroupSizeTest --threads 1500 --number-of-subgroups 3 
 ```
 
+### CertIssuanceTest
+
+Find the limit of the IPA API to issue new certificates.
+
+A set number of clients is enrolled then services for each client are created.
+
+For each service an ipa-getcert request is issued. There is little effort made
+to ensure that these are all run at the same time but in the end this more
+closely mirrors a live installation.
+
+#### Options
+Rather than declaring a bunch of new options some are reused. The available options
+are:
+
+- `cert-requests`: number of certificates to request for each client
+- `clients`: number of clients to enroll
+- `wsgi-processes`: number of WSGI processes to enable (default=4)
+
+Sample execution:
+
+```
+ipaperftest --test CertIssuanceTest --amount 70  --cert-requests 5
+ipaperftest --test CertIssuanceTest --amount 70  --cert-requests 5 -wsgi-processes 8
+```
+
 ## Creating test users
 
 For client authentication test we need a lot of users to test against.

create-test-data.py

@@ -17,6 +17,7 @@ def __init__(
             users=50000,
             hosts=40000,
             host_prefix="client",
+            services=0,
             number_of_subgroups=0,
             outfile=None,
     ):
@@ -85,6 +86,8 @@ def __init__(
         self.hosts = hosts
         self.hostgroups = hostgroups
 
+        self.services = services
+
         self.number_of_subgroups = number_of_subgroups
 
         self.hostgroups_per_host = hostgroups_per_host
@@ -206,6 +209,20 @@ def __init__(
             'ipaUniqueID': ['autogenerate'],
         }
 
+        self.service_defaults = {
+            'objectClass': [
+                'ipakrbprincipal',
+                'ipaobject',
+                'ipaservice',
+                'krbprincipal',
+                'krbprincipalaux',
+                'krbticketpolicyaux',
+                'pkiuser',
+                'top',
+            ],
+            'ipaUniqueID': ['autogenerate'],
+        }
+
         self.sudo_defaults = {
             'objectClass': [
                 'ipasudorule',
@@ -330,6 +347,37 @@ def hostgroupname_generator(self, start, stop, step=1):
         for i in range(start, stop, step):
             yield 'hostgroup{}'.format(i)
 
+    def gen_service(self, servicename, hostname):
+        service = dict(self.service_defaults)
+        service['dn'] = 'krbprincipalname={servicename}/{hostname}@{realm},' \
+            'cn=services,cn=accounts,{suffix}'.format(
+            servicename=servicename,
+            hostname=hostname,
+            realm=self.realm,
+            suffix=self.basedn
+        )
+        service['krbPrincipalName'] = ['{servicename}/{hostname}@{realm}'.format(
+            servicename=servicename,
+            hostname=hostname,
+            realm=self.realm
+        )]
+        service['krbCanonicalName'] = service['krbPrincipalName']
+        service['ipaKrbPrincipalAlias'] = service['krbPrincipalName']
+        service['managedBy'] = [
+            'fqdn={hostname},cn=computers,cn=accounts,{suffix}'.format(
+                hostname=hostname,
+                suffix=self.basedn)]
+        return service
+
+    def generate_services(self):
+        for i in range(0, self.hosts, 1):
+            hostname = '{}{:03d}.{}'.format(
+                self.host_prefix, i, self.domain
+            )
+            for j in range(0, self.services, 1):
+                service = self.gen_service(f'service{j}', hostname)
+                self.put_entry(service)
+
     def gen_sudorule(
             self, name,
             user_members=(), usergroup_members=(),
@@ -671,6 +719,7 @@ def put_entry(self, entry):
 class IPATestDataLDIF(IPADataLDIF):
     def do_magic(self):
         self.gen_users_and_groups()
+        self.generate_services()
 
     def username_generator(self, start, stop, step=1, hostname=None):
         for i in range(start, stop, step):
@@ -729,6 +778,8 @@ def put_entry(self, entry):
 @click.option("--hosts", default=500, help="Number of hosts to create.",
               type=int)
 @click.option("--host-prefix", default="client", help="hostname prefix")
+@click.option("--services", default=0, help="Number of services per host to create.",
+              type=int)
 @click.option("--outfile", default=None, help="LDIF output file")
 @click.option("--with-groups", default=False, help="Create user groups.",
               is_flag=True)
@@ -744,6 +795,7 @@ def main(
     users_per_host,
     hosts,
     host_prefix,
+    services,
     with_groups,
     with_hostgroups,
     with_sudo,
@@ -761,6 +813,7 @@ def main(
         users=users_per_host,
         hosts=hosts,
         host_prefix=host_prefix,
+        services=services,
         number_of_subgroups=number_of_subgroups,
         outfile=outfile,
     )

setup.py

@@ -22,6 +22,7 @@
         'ipaperftest.plugins': [
             'apitest = ipaperftest.plugins.apitest',
             'authenticationtest = ipaperftest.plugins.authenticationtest',
+            'certissuetest = ipaperftest.plugins.certissuetest',
             'enrollmenttest = ipaperftest.plugins.enrollmenttest',
             'groupsizetest = ipaperftest.plugins.groupsizetest',
         ],

src/ipaperftest/core/constants.py

@@ -607,3 +607,45 @@ def getLevelName(level):
         cmd: "ldapadd -x -D 'cn=Directory Manager' -w password -f userdata.ldif"
         chdir: /root
 """
+
+ANSIBLE_CERTISSUANCETEST_SERVER_CONFIG_PLAYBOOK = """
+---
+- name: Add services after enrollment
+  hosts: ipaserver
+  become: yes
+  tasks:
+    - synchronize:
+        src: "{{{{ item }}}}"
+        dest: "/root"
+        mode: push
+        use_ssh_args: yes
+      with_items:
+        - create-test-data.py
+    - package:
+        name: python3-pip
+    - command:
+        cmd: "pip3 install click"
+    - command:
+        cmd: "python3 create-test-data.py --hosts {amount} --outfile userdata.ldif --users-per-host 0 --services {services}"
+        chdir: /root
+    - command:
+        cmd: "ldapadd -x -D 'cn=Directory Manager' -w password -f userdata.ldif"
+        chdir: /root
+"""
+
+ANSIBLE_CERTISSUANCETEST_SERVER_TUNING_PLAYBOOK = """
+---
+- name: Tune the server WSGI parameters
+  hosts: ipaserver
+  become: yes
+  tasks:
+    - name: "Tune WSGI"
+      lineinfile:
+        path: /etc/httpd/conf.d/ipa.conf
+        regexp: '^WSGIDaemonProcess'
+        line: WSGIDaemonProcess ipa processes={wsgi_processes} threads=1 maximum-requests=500 \\
+    - name: "Restart httpd"
+      service:
+        name: httpd
+        state: restarted
+"""

src/ipaperftest/core/main.py

@@ -109,6 +109,7 @@ def run(self, ctx):
               type=click.Choice(["EnrollmentTest",
                                  "APITest",
                                  "AuthenticationTest",
+                                 "CertIssuanceTest",
                                  "GroupSizeTest"]))
 @click.option(
     "--client-image",
@@ -187,6 +188,8 @@ def run(self, ctx):
     help="Number of sub groups for Groupsize test",
     default=0,
 )
+@click.option("--cert-requests", default=0, help="Number of certificates to request")
+@click.option("--wsgi-processes", default=4, help="Number of WSGI processes")
 @click.pass_context
 def main(
     ctx,
@@ -211,6 +214,8 @@ def main(
     auth_spread=0,
     expected_result_type="no_errors",
     number_of_subgroups=0,
+    cert_requests=0,
+    wsgi_processes=4,
 ):
 
     tests = RunTest(['ipaperftest.registry'])