On 07/29/2016 11:43 AM, Lenka Doudova wrote:
On 07/29/2016 11:41 AM, Lenka Doudova wrote:
On 07/28/2016 01:35 PM, Peter Lacko wrote:
Hops, fixed.
Peter
----- Original Message -----
From: "Lenka Doudova"<[email protected]>
To:[email protected]
Sent: Thursday, July 28, 2016 1:32:25 PM
Subject: Re: [Freeipa-devel] [PATCH 0003] Test validity of URIs in
certificate
Hi,
I cannot find any attached patch :)
Lenka
On 07/28/2016 01:30 PM, Peter Lacko wrote:
Attached you can find a patch adding test for URIs in generated certificate
ipatests/test_xmlrpc/test_cert_plugin.py
Since I'm leaving Red Hat in end of July, I won't be able to modify this patch
anymore.
Regards,
Peter
Hi,
NACK. Code looks fine and works well on master branch, but patch does
not apply on 4-3 and 4-2 branches.
Peter left the company but claimed he can fix the patch if necessary,
I'll communicate it with him or fix it myself.
Lenka
Oh, and forgot this one - PEP8 error:
./ipatests/test_xmlrpc/test_cert_plugin.py:191:80: E501 line too long
(105 > 79 characters)
Lenka
Hi,
since Peter has quit already, I took it upon myself to do minor fix and
rebase to the patch.
1) i removed pylint disable comments from the patch, as they were
unnecessary (this also solved PEP8 error)
2) I rebased the patch to be applicable for ipa-4-3 branch.
Original functionality of the patch remains unchanged.
Both fixed patches attached.
Lenka
From 63f0efeaf16cff8cb30e6e8e7903722330ae883c Mon Sep 17 00:00:00 2001
From: Peter Lacko <[email protected]>
Date: Fri, 15 Jul 2016 16:55:51 +0200
Subject: [PATCH] Test URIs in certificate.
Test that CRL URI and OCSP URI are present and correct in generated certificate.
https://fedorahosted.org/freeipa/ticket/5881
---
ipatests/test_xmlrpc/test_cert_plugin.py | 52 ++++++++++++++++++++++++--------
1 file changed, 39 insertions(+), 13 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index a3839d0f79af7208bc2e9ce54183dec288f79ff1..b106c091edde68097c35907ea834b37b64407735 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -19,24 +19,25 @@
"""
Test the `ipalib/plugins/cert.py` module against a RA.
"""
+from __future__ import print_function
import sys
+import base64
+import nose
import os
+import pytest
import shutil
-from nose.tools import raises, assert_raises # pylint: disable=E0611
-
-from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, assert_attr_equal
+import six
+import tempfile
from ipalib import api
from ipalib import errors
from ipalib import x509
-import tempfile
-from ipapython import ipautil
-import six
-import nose
-import base64
from ipaplatform.paths import paths
+from ipapython import ipautil
from ipapython.dn import DN
-import pytest
+from ipapython.ipautil import run
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, assert_attr_equal
+from nose.tools import raises, assert_raises # pylint: disable=E0611
if six.PY3:
unicode = str
@@ -44,6 +45,11 @@ if six.PY3:
# So we can save the cert from issuance and compare it later
cert = None
newcert = None
+sn = None
+
+_DOMAIN = api.env.domain
+_EXP_CRL_URI = ''.join(['http://ipa-ca.', _DOMAIN, '/ipa/crl/MasterCRL.bin'])
+_EXP_OCSP_URI = ''.join(['http://ipa-ca.', _DOMAIN, '/ca/ocsp'])
def is_db_configured():
"""
@@ -82,6 +88,8 @@ class test_cert(XMLRPC_test):
if 'cert_request' not in api.Command:
raise nose.SkipTest('cert_request not registered')
+ if 'cert_show' not in api.Command:
+ raise nose.SkipTest('cert_show not registered')
is_db_configured()
@@ -94,6 +102,7 @@ class test_cert(XMLRPC_test):
self.reqdir = tempfile.mkdtemp(prefix = "tmp-")
self.reqfile = self.reqdir + "/test.csr"
self.pwname = self.reqdir + "/pwd"
+ self.certfile = self.reqdir + "/cert.crt"
# Create an empty password file
fp = open(self.pwname, "w")
@@ -144,13 +153,15 @@ class test_cert(XMLRPC_test):
Test the `xmlrpc.cert_request` method with --add.
"""
# Our host should exist from previous test
- global cert
+ global cert, sn
csr = unicode(self.generateCSR(str(self.subject)))
res = api.Command['cert_request'](csr, principal=self.service_princ, add=True)['result']
assert DN(res['subject']) == self.subject
# save the cert for the service_show/find tests
cert = res['certificate'].encode('ascii')
+ # save cert's SN for URI test
+ sn = res['serial_number']
def test_0003_service_show(self):
"""
@@ -171,7 +182,22 @@ class test_cert(XMLRPC_test):
res = api.Command['service_find'](self.service_princ)['result']
assert base64.b64encode(res[0]['usercertificate'][0]) == cert
- def test_0005_cert_renew(self):
+ def test_0005_cert_uris(self):
+ """Test URI details and OCSP-URI in certificate.
+
+ See https://fedorahosted.org/freeipa/ticket/5881
+ """
+ global sn
+
+ result = api.Command.cert_show(sn, out=unicode(self.certfile))
+ with open(self.certfile, "r") as f:
+ pem_cert = unicode(f.read())
+ result = run(['openssl', 'x509', '-text'],
+ stdin=pem_cert, capture_output=True)
+ assert _EXP_CRL_URI in result.output
+ assert _EXP_OCSP_URI in result.output
+
+ def test_0006_cert_renew(self):
"""
Issue a new certificate for a service
"""
@@ -183,7 +209,7 @@ class test_cert(XMLRPC_test):
# save the cert for the service_show/find tests
newcert = res['certificate'].encode('ascii')
- def test_0006_service_show(self):
+ def test_0007_service_show(self):
"""
Verify the new certificate with service-show.
"""
@@ -195,7 +221,7 @@ class test_cert(XMLRPC_test):
certs_encoded = (base64.b64encode(cert) for cert in res['usercertificate'])
assert set(certs_encoded) == set([cert, newcert])
- def test_0007_cleanup(self):
+ def test_0008_cleanup(self):
"""
Clean up cert test data
"""
--
2.7.4
From 55a738abe6c480dd2f8111fa0431187af616f75e Mon Sep 17 00:00:00 2001
From: Peter Lacko <[email protected]>
Date: Fri, 15 Jul 2016 16:55:51 +0200
Subject: [PATCH] Test URIs in certificate.
Test that CRL URI and OCSP URI are present and correct in generated certificate.
https://fedorahosted.org/freeipa/ticket/5881
---
ipatests/test_xmlrpc/test_cert_plugin.py | 52 ++++++++++++++++++++++++--------
1 file changed, 39 insertions(+), 13 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index 8127ef224b24a0b3a63c3d07ef72d4b53feda4be..1efb6ec805a8a1021abb25125c84b83e464f11d7 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -19,23 +19,24 @@
"""
Test the `ipaserver/plugins/cert.py` module against a RA.
"""
+from __future__ import print_function
+import base64
+import nose
import os
+import pytest
import shutil
-from nose.tools import raises, assert_raises # pylint: disable=E0611
-
-from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+import six
+import tempfile
from ipalib import api
from ipalib import errors
from ipalib import x509
-import tempfile
-from ipapython import ipautil
-import six
-import nose
-import base64
from ipaplatform.paths import paths
+from ipapython import ipautil
from ipapython.dn import DN
-import pytest
+from ipapython.ipautil import run
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+from nose.tools import raises, assert_raises # pylint: disable=E0611
if six.PY3:
unicode = str
@@ -43,6 +44,11 @@ if six.PY3:
# So we can save the cert from issuance and compare it later
cert = None
newcert = None
+sn = None
+
+_DOMAIN = api.env.domain
+_EXP_CRL_URI = ''.join(['http://ipa-ca.', _DOMAIN, '/ipa/crl/MasterCRL.bin'])
+_EXP_OCSP_URI = ''.join(['http://ipa-ca.', _DOMAIN, '/ca/ocsp'])
def is_db_configured():
"""
@@ -81,6 +87,8 @@ class test_cert(XMLRPC_test):
if 'cert_request' not in api.Command:
raise nose.SkipTest('cert_request not registered')
+ if 'cert_show' not in api.Command:
+ raise nose.SkipTest('cert_show not registered')
is_db_configured()
@@ -93,6 +101,7 @@ class test_cert(XMLRPC_test):
self.reqdir = tempfile.mkdtemp(prefix = "tmp-")
self.reqfile = self.reqdir + "/test.csr"
self.pwname = self.reqdir + "/pwd"
+ self.certfile = self.reqdir + "/cert.crt"
# Create an empty password file
fp = open(self.pwname, "w")
@@ -143,13 +152,15 @@ class test_cert(XMLRPC_test):
Test the `xmlrpc.cert_request` method with --add.
"""
# Our host should exist from previous test
- global cert
+ global cert, sn
csr = unicode(self.generateCSR(str(self.subject)))
res = api.Command['cert_request'](csr, principal=self.service_princ, add=True)['result']
assert DN(res['subject']) == self.subject
# save the cert for the service_show/find tests
cert = res['certificate'].encode('ascii')
+ # save cert's SN for URI test
+ sn = res['serial_number']
def test_0003_service_show(self):
"""
@@ -170,7 +181,22 @@ class test_cert(XMLRPC_test):
res = api.Command['service_find'](self.service_princ)['result']
assert base64.b64encode(res[0]['usercertificate'][0]) == cert
- def test_0005_cert_renew(self):
+ def test_0005_cert_uris(self):
+ """Test URI details and OCSP-URI in certificate.
+
+ See https://fedorahosted.org/freeipa/ticket/5881
+ """
+ global sn
+
+ result = api.Command.cert_show(sn, out=unicode(self.certfile))
+ with open(self.certfile, "r") as f:
+ pem_cert = unicode(f.read())
+ result = run(['openssl', 'x509', '-text'],
+ stdin=pem_cert, capture_output=True)
+ assert _EXP_CRL_URI in result.output
+ assert _EXP_OCSP_URI in result.output
+
+ def test_0006_cert_renew(self):
"""
Issue a new certificate for a service
"""
@@ -182,7 +208,7 @@ class test_cert(XMLRPC_test):
# save the cert for the service_show/find tests
newcert = res['certificate'].encode('ascii')
- def test_0006_service_show(self):
+ def test_0007_service_show(self):
"""
Verify the new certificate with service-show.
"""
@@ -194,7 +220,7 @@ class test_cert(XMLRPC_test):
certs_encoded = (base64.b64encode(cert) for cert in res['usercertificate'])
assert set(certs_encoded) == set([cert, newcert])
- def test_0007_cleanup(self):
+ def test_0008_cleanup(self):
"""
Clean up cert test data
"""
--
2.7.4
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
