On Wed, 2011-07-27 at 16:17 +0200, Martin Kosek wrote: > On Wed, 2011-07-27 at 10:10 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > Fix several test failures when issuer does not match the one > > > generated by make-testcert (CN=Certificate Authority,O=<realm>). > > > > > > https://fedorahosted.org/freeipa/ticket/1527 > > > > > > > What kind of CA are you testing against? Right now the subject of the > > issue differs whether you are installing a dogtag CA or a self-signed > > CA. I think that unifying those will be needed as well. > > > > rob > > That was tested against dogtag CA. We indeed need to unify this so that > people are not confused by errors like this. > > Martin >
I improved the tests by creating a new fuzzy attribute - fuzzy_issuer which will allow both issuer alternatives. It should now pass on both self-signed and dogtag IPA. Martin
>From 5f6f5676739279196b3a3f1fce47d196d186c965 Mon Sep 17 00:00:00 2001 From: Martin Kosek <[email protected]> Date: Wed, 27 Jul 2011 11:02:00 +0200 Subject: [PATCH] Fix invalid issuer in unit tests Fix several test failures when issuer does not match the one generated by make-testcert (CN=Certificate Authority,O=<realm>). https://fedorahosted.org/freeipa/ticket/1527 --- ipalib/x509.py | 7 +++++-- tests/test_xmlrpc/test_host_plugin.py | 6 +++--- tests/test_xmlrpc/test_service_plugin.py | 6 +++--- tests/test_xmlrpc/xmlrpc_test.py | 3 +++ 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e757e1d1fab8dc4d38bf8f2207daed7fe441f117..23f337edcc18e6b63b232b578d8588872c033899 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -45,6 +45,10 @@ from ipalib import errors PEM = 0 DER = 1 +def valid_issuer(issuer, realm): + return issuer in ('CN=%s Certificate Authority' % realm, + 'CN=Certificate Authority,O=%s' % realm,) + def strip_header(pem): """ Remove the header and footer from a certificate. @@ -187,8 +191,7 @@ def verify_cert_subject(ldap, hostname, dercert): issuer = str(nsscert.issuer) # Handle both supported forms of issuer, from selfsign and dogtag. - if ((issuer != 'CN=%s Certificate Authority' % api.env.realm) and - (issuer != 'CN=Certificate Authority,O=%s' % api.env.realm)): + if (not valid_issuer(issuer, api.env.realm)): raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \ {'issuer' : issuer}) diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py index 793729629eda71a3800b87b9068378207492f426..426b0d7caebe82f2829594557b9e9abe59098f0a 100644 --- a/tests/test_xmlrpc/test_host_plugin.py +++ b/tests/test_xmlrpc/test_host_plugin.py @@ -24,7 +24,7 @@ Test the `ipalib.plugins.host` module. from ipalib import api, errors, x509 from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_digits -from tests.test_xmlrpc.xmlrpc_test import fuzzy_hash, fuzzy_date +from tests.test_xmlrpc.xmlrpc_test import fuzzy_hash, fuzzy_date, fuzzy_issuer from tests.test_xmlrpc import objectclasses import base64 @@ -239,7 +239,7 @@ class test_host(Declarative): serial_number=fuzzy_digits, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, - issuer=u'CN=%s Certificate Authority' % api.env.realm, + issuer=fuzzy_issuer, ), ), ), @@ -266,7 +266,7 @@ class test_host(Declarative): serial_number=fuzzy_digits, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, - issuer=u'CN=%s Certificate Authority' % api.env.realm, + issuer=fuzzy_issuer, ), ), ), diff --git a/tests/test_xmlrpc/test_service_plugin.py b/tests/test_xmlrpc/test_service_plugin.py index be58b3511290d6cdc80c2bca5367c7e374700dc3..4f08f235ee1968d803a5fb107260dbdef0bd3448 100644 --- a/tests/test_xmlrpc/test_service_plugin.py +++ b/tests/test_xmlrpc/test_service_plugin.py @@ -23,7 +23,7 @@ Test the `ipalib/plugins/service.py` module. from ipalib import api, errors, x509 from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash -from tests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date +from tests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer from tests.test_xmlrpc import objectclasses import base64 @@ -375,7 +375,7 @@ class test_host(Declarative): serial_number=fuzzy_digits, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, - issuer=u'CN=%s Certificate Authority' % api.env.realm, + issuer=fuzzy_issuer, ), ), ), @@ -401,7 +401,7 @@ class test_host(Declarative): serial_number=fuzzy_digits, md5_fingerprint=fuzzy_hash, sha1_fingerprint=fuzzy_hash, - issuer=u'CN=%s Certificate Authority' % api.env.realm, + issuer=fuzzy_issuer, ), ), ), diff --git a/tests/test_xmlrpc/xmlrpc_test.py b/tests/test_xmlrpc/xmlrpc_test.py index 7b6a74177fc0e4769efc5d120cf166d31b8be64c..4f29fb7ceb4fcb6b8602e4884f634f63babdcfa6 100644 --- a/tests/test_xmlrpc/xmlrpc_test.py +++ b/tests/test_xmlrpc/xmlrpc_test.py @@ -27,6 +27,7 @@ import nose from tests.util import assert_deepequal, Fuzzy from ipalib import api, request from ipalib import errors +from ipalib.x509 import valid_issuer # Matches a gidnumber like '1391016742' @@ -50,6 +51,8 @@ fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=basestring) # Matches a date, like Tue Apr 26 17:45:35 2016 UTC fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$') +fuzzy_issuer = Fuzzy(type=basestring, test=lambda issuer: valid_issuer(issuer, api.env.realm)) + try: if not api.Backend.xmlclient.isconnected(): api.Backend.xmlclient.connect(fallback=False) -- 1.7.6
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
