Compatibility fix for PyCA cryptography 42.0.0

Cryptography 42.0.0 introduced two new abstract properties
`not_valid_before_utc` and `not_valid_after_utc`, which are non-naive UTC
variants of the `not_valid_before` and `not_valid_after` properties.

The old properties are deprecated. The change also modifies tests to
handle the new `_utc` variants.

Fixes: #345

Signed-off-by: Rob Crittenden <[email protected]>

src/ipahealthcheck/ipa/certs.py

@@ -428,7 +428,7 @@ def check(self):
 
             now = datetime.now(tz=timezone.utc)
             # Older versions of IPA provide naive timestamps
-            notafter = cert.not_valid_after.replace(tzinfo=timezone.utc)
+            notafter = cert.not_valid_after_utc
 
             if now > notafter:
                 yield Result(self, constants.ERROR,
@@ -1447,7 +1447,7 @@ def check(self):
         for cert in ca_certs:
             subject = DN(cert.subject)
             subject = str(subject).replace('\\;', '\\3b')
-            dt = cert.not_valid_after.replace(tzinfo=timezone.utc)
+            dt = cert.not_valid_after_utc
             if dt < now:
                 logger.debug("%s is expired", subject)
                 yield Result(self, constants.CRITICAL,

tests/test_ipa_certfile_expiration.py

@@ -23,7 +23,7 @@ def __init__(self, not_valid_after, serial_number=1):
         self.subject = 'CN=RA AGENT'
         self.issuer = 'CN=ISSUER'
         self.serial_number = serial_number
-        self.not_valid_after = not_valid_after
+        self.not_valid_after_utc = not_valid_after
 
 
 class TestIPACertificateFile(BaseTest):

tests/test_ipa_expiration.py

@@ -100,7 +100,7 @@ def subject(self):
         return self.subj
 
     @property
-    def not_valid_after(self):
+    def not_valid_after_utc(self):
         return self.not_after