On 09/14/2015 05:47 PM, Martin Basti wrote:


On 09/14/2015 01:49 PM, Lenka Doudova wrote:
All good,
ACK

On 09/14/2015 11:54 AM, Milan Kubík wrote:
On 09/14/2015 10:10 AM, Lenka Doudova wrote:
NACK because:

$ pep8 ipatests/test_xmlrpc/test_certprofile_plugin.py
ipatests/test_xmlrpc/test_certprofile_plugin.py:213:8: E121 continuation line under-indented for hanging indent

(just a missing space in the indent)

Lenka

On 09/11/2015 01:47 PM, Milan Kubík wrote:
On 09/11/2015 12:43 PM, Lenka Doudova wrote:




On 09/11/2015 11:45 AM, Milan Kubík wrote:

On 09/11/2015 10:27 AM, Martin Basti wrote:





On 09/11/2015 09:51 AM, Lenka Doudova wrote:





On 09/10/2015 02:11 PM, Milan Kubík wrote:

On 09/04/2015 03:57 PM, Martin Babinsky wrote:

On 09/04/2015 11:06 AM, Lenka Doudova wrote:



Hi,







there's no traceback in the file you mentioned, but I'm running it



through lite-server, so here's the traceback from there:



http://pastebin.test.redhat.com/310598







I can't really get to the problem. What I forgot to mention in the



previous email was that the tests fail when attempting to add a



certprofile, but if I try to do is manually using 'ipa



certprofile-import' command with the exact same data as used in the



test, it works fine.







Lenka







Do you get the traceback also when you run the tests using

'ipa-run-tests' with installed IPA master?











Hello,



I don't think it is possible to run these tests against the lite
server. Please do it on regular installation.



Anyway, sorry for the long delay. I send the updated patches.

I updated them to reflect the fix for rename option and extended
about test with importing a profile from XML file. The test case
may need to be updated, based on the resolution of [1].

This at the moment raises remote retrieve error (400 from dogtag),
I think there should be more clear message (detecting xml).



[1]: https://fedorahosted.org/freeipa/ticket/5294





Cheers,

Milan



Hi,



can't build rpms after applying the patches (namely patch 0009.2):



Module ipatests.test_xmlrpc.utils

ipatests/test_xmlrpc/utils.py:10: [E1101(no-member), prepare_config]
Module 'py' has no 'path' member)





Lenka



Do we need new util.py in test_xmlrpc? Why not just add it into
existing ipatests/util.py?





Updated patch attached.

Changes:

    content of ipatests.test_xmlrpc.utils moved to ipatests.utils

    make-lint updated to ignore py.path submodule



Again got an error:



Module ipatests.test_xmlrpc.test_certprofile_plugin



ipatests/test_xmlrpc/test_certprofile_plugin.py:16: [E0611(no-name-in-module), ] No name 'utils' in module 'ipatests')





Probably just extra 's' in:



from ipatests.utils import prepare_config



Lenka



Typo fixed. Removed the py module from the code after an offline discussion.
Patch attached.

Milan


Fixed. Patch attached.

Milan


I cannot apply this patch on master branch even with 3-way merge, thus I cannot push this, please send rebased patch.
Hi,

rebased patches attached.

Milan
From bcb1d7fbf2f4f43532fac1c5f56dfbb484bf7221 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= <mku...@redhat.com>
Date: Wed, 10 Jun 2015 14:48:33 +0200
Subject: [PATCH 1/5] ipatests: Add Certprofile tracker class implementation

https://fedorahosted.org/freeipa/ticket/57
---
 ipatests/test_xmlrpc/objectclasses.py           |   5 +
 ipatests/test_xmlrpc/test_certprofile_plugin.py | 140 ++++++++++++++++++++++++
 2 files changed, 145 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_certprofile_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index a5c1b4c501cd28049b29cfc5e55ae745d91dc5bf..1cd77c7f885fe408d0d9d48fc6d8284900c91b7f 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -212,3 +212,8 @@ servicedelegationtarget = [
     u'top',
     u'groupofprincipals',
 ]
+
+certprofile = [
+    u'top',
+    u'ipacertprofile',
+]
diff --git a/ipatests/test_xmlrpc/test_certprofile_plugin.py b/ipatests/test_xmlrpc/test_certprofile_plugin.py
new file mode 100644
index 0000000000000000000000000000000000000000..8fd81bc3f0cc7896adb9fdb6904ace1e7ebc52b3
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_certprofile_plugin.py
@@ -0,0 +1,140 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
+#
+
+"""
+Test the `ipalib.plugins.certprofile` module.
+"""
+
+import os
+
+import pytest
+
+from ipalib import errors
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.ldaptracker import Tracker
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, raises_exact
+from ipatests.test_xmlrpc import objectclasses
+from ipatests.util import assert_deepequal
+
+
+class CertprofileTracker(Tracker):
+    """Tracker class for certprofile plugin.
+    """
+
+    retrieve_keys = {
+        'dn', 'cn', 'description', 'ipacertprofilestoreissued'
+    }
+    retrieve_all_keys = retrieve_keys | {'objectclass'}
+    create_keys = retrieve_keys | {'objectclass'}
+    update_keys = retrieve_keys - {'dn'}
+    managedby_keys = retrieve_keys
+    allowedto_keys = retrieve_keys
+
+    def __init__(self, name, store=False, desc='dummy description',
+                 profile=None, default_version=None):
+        super(CertprofileTracker, self).__init__(
+            default_version=default_version
+        )
+
+        self.store = store
+        self.description = desc
+        self._profile_path = profile
+
+        self.dn = DN(('cn', name), 'cn=certprofiles', 'cn=ca',
+                     self.api.env.basedn)
+
+    @property
+    def profile(self):
+        if not self._profile_path:
+            return None
+
+        if os.path.isabs(self._profile_path):
+            path = self._profile_path
+        else:
+            path = os.path.join(os.path.dirname(__file__),
+                                self._profile_path)
+
+        with open(path, 'r') as f:
+            content = f.read()
+        return unicode(content)
+
+    def make_create_command(self, force=True):
+        if not self.profile:
+            raise RuntimeError('Tracker object without path to profile '
+                               'cannot be used to create profile entry.')
+
+        return self.make_command('certprofile_import', self.name,
+                                 description=self.description,
+                                 ipacertprofilestoreissued=self.store,
+                                 file=self.profile)
+
+    def check_create(self, result):
+        assert_deepequal(dict(
+            value=self.name,
+            summary=u'Imported profile "{}"'.format(self.name),
+            result=dict(self.filter_attrs(self.create_keys))
+        ), result)
+
+    def track_create(self):
+        self.attrs = dict(
+            dn=unicode(self.dn),
+            cn=[self.name],
+            description=[self.description],
+            ipacertprofilestoreissued=[unicode(self.store).upper()],
+            objectclass=objectclasses.certprofile
+        )
+        self.exists = True
+
+    def make_delete_command(self):
+        return self.make_command('certprofile_del', self.name)
+
+    def check_delete(self, result):
+        assert_deepequal(dict(
+            value=[self.name],  # correctly a list?
+            summary=u'Deleted profile "{}"'.format(self.name),
+            result=dict(failed=[]),
+        ), result)
+
+    def make_retrieve_command(self, all=False, raw=False, **options):
+        return self.make_command('certprofile_show', self.name, all=all,
+                                 raw=raw, **options)
+
+    def check_retrieve(self, result, all=False, raw=False):
+        if all:
+            expected = self.filter_attrs(self.retrieve_all_keys)
+        else:
+            expected = self.filter_attrs(self.retrieve_keys)
+
+        assert_deepequal(dict(
+            value=self.name,
+            summary=None,
+            result=expected,
+        ), result)
+
+    def make_find_command(self, *args, **kwargs):
+        return self.make_command('certprofile_find', *args, **kwargs)
+
+    def check_find(self, result, all=False, raw=False):
+        if all:
+            expected = self.filter_attrs(self.retrieve_all_keys)
+        else:
+            expected = self.filter_attrs(self.retrieve_keys)
+
+        assert_deepequal(dict(
+            count=1,
+            truncated=False,
+            summary=u'1 profile matched',
+            result=[expected]
+        ), result)
+
+    def make_update_command(self, updates):
+        return self.make_command('certprofile_mod', self.name, **updates)
+
+    def check_update(self, result, extra_keys=()):
+        assert_deepequal(dict(
+            value=self.name,
+            summary=u'Modified Certificate Profile "{}"'.format(self.name),
+            result=self.filter_attrs(self.update_keys | set(extra_keys))
+        ), result)
-- 
2.5.2

From 1e97837900cef8659664fde2f4c655e4cbc7fbdf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= <mku...@redhat.com>
Date: Sun, 23 Aug 2015 16:19:59 +0200
Subject: [PATCH 2/5] ipatests: Add basic tests for certificate profile plugin

---
 .../test_xmlrpc/data/caIPAserviceCert.xml.tmpl     | 619 +++++++++++++++++++++
 .../test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl | 109 ++++
 .../test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl | 109 ++++
 .../data/caIPAserviceCert_mod_mal.cfg.tmpl         | 109 ++++
 ipatests/test_xmlrpc/test_certprofile_plugin.py    | 203 ++++++-
 ipatests/util.py                                   |  10 +
 6 files changed, 1158 insertions(+), 1 deletion(-)
 create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl
 create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl
 create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl
 create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl

diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl
new file mode 100644
index 0000000000000000000000000000000000000000..99548192346b6105ea4f1a015738bfec612e3acd
--- /dev/null
+++ b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl
@@ -0,0 +1,619 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Profile xmlns:ns2="http://www.w3.org/2005/Atom"; id="caIPAserviceCert_xml">
+    <classId>caEnrollImpl</classId>
+    <name>IPA-RA Agent-Authenticated Server Certificate Enrollment</name>
+    <description>This certificate profile is for enrolling server certificates with IPA-RA agent authentication.</description>
+    <enabled>true</enabled>
+    <visible>false</visible>
+    <enabledBy>ipara</enabledBy>
+    <authenticatorId>raCertAuth</authenticatorId>
+    <authzAcl></authzAcl>
+    <renewal>false</renewal>
+    <xmlOutput>false</xmlOutput>
+    <Input id="i1">
+        <ClassID>certReqInputImpl</ClassID>
+        <Name>Certificate Request Input</Name>
+        <Attribute name="cert_request_type">
+            <Descriptor>
+                <Syntax>cert_request_type</Syntax>
+                <Description>Certificate Request Type</Description>
+            </Descriptor>
+        </Attribute>
+        <Attribute name="cert_request">
+            <Descriptor>
+                <Syntax>cert_request</Syntax>
+                <Description>Certificate Request</Description>
+            </Descriptor>
+        </Attribute>
+    </Input>
+    <Input id="i2">
+        <ClassID>submitterInfoInputImpl</ClassID>
+        <Name>Requestor Information</Name>
+        <Attribute name="requestor_name">
+            <Descriptor>
+                <Syntax>string</Syntax>
+                <Description>Requestor Name</Description>
+            </Descriptor>
+        </Attribute>
+        <Attribute name="requestor_email">
+            <Descriptor>
+                <Syntax>string</Syntax>
+                <Description>Requestor Email</Description>
+            </Descriptor>
+        </Attribute>
+        <Attribute name="requestor_phone">
+            <Descriptor>
+                <Syntax>string</Syntax>
+                <Description>Requestor Phone</Description>
+            </Descriptor>
+        </Attribute>
+    </Input>
+    <Output id="o1">
+        <name>Certificate Output</name>
+        <classId>certOutputImpl</classId>
+        <attributes name="pretty_cert">
+            <Descriptor>
+                <Syntax>pretty_print</Syntax>
+                <Description>Certificate Pretty Print</Description>
+            </Descriptor>
+        </attributes>
+        <attributes name="b64_cert">
+            <Descriptor>
+                <Syntax>pretty_print</Syntax>
+                <Description>Certificate Base-64 Encoded</Description>
+            </Descriptor>
+        </attributes>
+    </Output>
+    <PolicySets>
+        <PolicySet>
+            <id>serverCertSet</id>
+            <value id="1">
+                <def id="Subject Name Default" classId="subjectNameDefaultImpl">
+                    <description>This default populates a Certificate Subject Name to the request. The default values are Subject Name=CN=$request.req_subject_name.cn$, O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM</description>
+                    <policyAttribute name="name">
+                        <Descriptor>
+                            <Syntax>string</Syntax>
+                            <Description>Subject Name</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                    <params name="name">
+                        <value>CN=$request.req_subject_name.cn$, {ipacertbase}</value>
+                    </params>
+                </def>
+                <constraint id="Subject Name Constraint">
+                    <description>This constraint accepts the subject name that matches CN=[^,]+,.+</description>
+                    <classId>subjectNameConstraintImpl</classId>
+                    <constraint id="pattern">
+                        <descriptor>
+                            <Syntax>string</Syntax>
+                            <Description>Subject Name Pattern</Description>
+                        </descriptor>
+                        <value>CN=[^,]+,.+</value>
+                    </constraint>
+                </constraint>
+            </value>
+            <value id="2">
+                <def id="Validity Default" classId="validityDefaultImpl">
+                    <description>This default populates a Certificate Validity to the request. The default values are Range=731 in days</description>
+                    <policyAttribute name="notBefore">
+                        <Descriptor>
+                            <Syntax>string</Syntax>
+                            <Description>Not Before</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="notAfter">
+                        <Descriptor>
+                            <Syntax>string</Syntax>
+                            <Description>Not After</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                    <params name="range">
+                        <value>731</value>
+                    </params>
+                    <params name="rangeUnit">
+                        <value></value>
+                    </params>
+                    <params name="startTime">
+                        <value>0</value>
+                    </params>
+                </def>
+                <constraint id="Validity Constraint">
+                    <description>This constraint rejects the validity that is not between 740 days.</description>
+                    <classId>validityConstraintImpl</classId>
+                    <constraint id="range">
+                        <descriptor>
+                            <Syntax>integer</Syntax>
+                            <Description>Validity Range</Description>
+                            <DefaultValue>365</DefaultValue>
+                        </descriptor>
+                        <value>740</value>
+                    </constraint>
+                    <constraint id="rangeUnit">
+                        <descriptor>
+                            <Syntax>string</Syntax>
+                            <Description>Validity Range Unit (default: day)</Description>
+                            <DefaultValue>day</DefaultValue>
+                        </descriptor>
+                        <value></value>
+                    </constraint>
+                    <constraint id="notBeforeGracePeriod">
+                        <descriptor>
+                            <Syntax>integer</Syntax>
+                            <Description>Grace period for Not Before being set in the future (in seconds).</Description>
+                            <DefaultValue>0</DefaultValue>
+                        </descriptor>
+                        <value></value>
+                    </constraint>
+                    <constraint id="notBeforeCheck">
+                        <descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Check Not Before against current time</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </descriptor>
+                        <value>false</value>
+                    </constraint>
+                    <constraint id="notAfterCheck">
+                        <descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Check Not After against Not Before</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </descriptor>
+                        <value>false</value>
+                    </constraint>
+                </constraint>
+            </value>
+            <value id="3">
+                <def id="Key Default" classId="userKeyDefaultImpl">
+                    <description>This default populates a User-Supplied Certificate Key to the request.</description>
+                    <policyAttribute name="TYPE">
+                        <Descriptor>
+                            <Syntax>string</Syntax>
+                            <Constraint>readonly</Constraint>
+                            <Description>Key Type</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="LEN">
+                        <Descriptor>
+                            <Syntax>string</Syntax>
+                            <Constraint>readonly</Constraint>
+                            <Description>Key Length</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="KEY">
+                        <Descriptor>
+                            <Syntax>string</Syntax>
+                            <Constraint>readonly</Constraint>
+                            <Description>Key</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                </def>
+                <constraint id="Key Constraint">
+                    <description>This constraint accepts the key only if Key Type=RSA, Key Parameters =1024,2048,3072,4096</description>
+                    <classId>keyConstraintImpl</classId>
+                    <constraint id="keyType">
+                        <descriptor>
+                            <Syntax>choice</Syntax>
+                            <Constraint>-,RSA,EC</Constraint>
+                            <Description>Key Type</Description>
+                            <DefaultValue>RSA</DefaultValue>
+                        </descriptor>
+                        <value>RSA</value>
+                    </constraint>
+                    <constraint id="keyParameters">
+                        <descriptor>
+                            <Syntax>string</Syntax>
+                            <Description>Key Lengths or Curves. For EC use comma separated list of curves, otherise use list of key sizes. Ex: 1024,2048,4096,8192 or: nistp256,nistp384,nistp521,sect163k1,nistk163 for EC.</Description>
+                            <DefaultValue></DefaultValue>
+                        </descriptor>
+                        <value>1024,2048,3072,4096</value>
+                    </constraint>
+                </constraint>
+            </value>
+            <value id="4">
+                <def id="Authority Key Identifier Default" classId="authorityKeyIdentifierExtDefaultImpl">
+                    <description>This default populates an Authority Key Identifier Extension (2.5.29.35) to the request.</description>
+                    <policyAttribute name="critical">
+                        <Descriptor>
+                            <Syntax>string</Syntax>
+                            <Constraint>readonly</Constraint>
+                            <Description>Criticality</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="keyid">
+                        <Descriptor>
+                            <Syntax>string</Syntax>
+                            <Constraint>readonly</Constraint>
+                            <Description>Key ID</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                </def>
+                <constraint id="No Constraint">
+                    <description>No Constraint</description>
+                    <classId>noConstraintImpl</classId>
+                </constraint>
+            </value>
+            <value id="5">
+                <def id="AIA Extension Default" classId="authInfoAccessExtDefaultImpl">
+                    <description>This default populates a Authority Info Access Extension (1.3.6.1.5.5.7.1.1) to the request. The default values are Criticality=false, Record #0 ( Method:1.3.6.1.5.5.7.48.1,Location Type:URIName,Location:http://ipa-ca.{ipadomain}/ca/ocsp,Enable:true)</description>
+                    <policyAttribute name="authInfoAccessCritical">
+                        <Descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Criticality</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="authInfoAccessGeneralNames">
+                        <Descriptor>
+                            <Syntax>string_list</Syntax>
+                            <Description>General Names</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                    <params name="authInfoAccessCritical">
+                        <value>false</value>
+                    </params>
+                    <params name="authInfoAccessNumADs">
+                        <value>1</value>
+                    </params>
+                    <params name="authInfoAccessADMethod_0">
+                        <value>1.3.6.1.5.5.7.48.1</value>
+                    </params>
+                    <params name="authInfoAccessADLocationType_0">
+                        <value>URIName</value>
+                    </params>
+                    <params name="authInfoAccessADLocation_0">
+                        <value>http://ipa-ca.{ipadomain}/ca/ocsp</value>
+                    </params>
+                    <params name="authInfoAccessADEnable_0">
+                        <value>true</value>
+                    </params>
+                </def>
+                <constraint id="No Constraint">
+                    <description>No Constraint</description>
+                    <classId>noConstraintImpl</classId>
+                </constraint>
+            </value>
+            <value id="6">
+                <def id="Key Usage Default" classId="keyUsageExtDefaultImpl">
+                    <description>This default populates a Key Usage Extension (2.5.29.15) to the request. The default values are Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=true, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false</description>
+                    <policyAttribute name="keyUsageCritical">
+                        <Descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Criticality</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="keyUsageDigitalSignature">
+                        <Descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Digital Signature</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="keyUsageNonRepudiation">
+                        <Descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Non-Repudiation</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="keyUsageKeyEncipherment">
+                        <Descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Key Encipherment</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="keyUsageDataEncipherment">
+                        <Descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Data Encipherment</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="keyUsageKeyAgreement">
+                        <Descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Key Agreement</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="keyUsageKeyCertSign">
+                        <Descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Key CertSign</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="keyUsageCrlSign">
+                        <Descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>CRL Sign</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="keyUsageEncipherOnly">
+                        <Descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Encipher Only</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="keyUsageDecipherOnly">
+                        <Descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Decipher Only</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </Descriptor>
+                    </policyAttribute>
+                    <params name="keyUsageCritical">
+                        <value>true</value>
+                    </params>
+                    <params name="keyUsageDigitalSignature">
+                        <value>true</value>
+                    </params>
+                    <params name="keyUsageNonRepudiation">
+                        <value>true</value>
+                    </params>
+                    <params name="keyUsageKeyEncipherment">
+                        <value>true</value>
+                    </params>
+                    <params name="keyUsageDataEncipherment">
+                        <value>true</value>
+                    </params>
+                    <params name="keyUsageKeyAgreement">
+                        <value>false</value>
+                    </params>
+                    <params name="keyUsageKeyCertSign">
+                        <value>false</value>
+                    </params>
+                    <params name="keyUsageCrlSign">
+                        <value>false</value>
+                    </params>
+                    <params name="keyUsageEncipherOnly">
+                        <value>false</value>
+                    </params>
+                    <params name="keyUsageDecipherOnly">
+                        <value>false</value>
+                    </params>
+                </def>
+                <constraint id="Key Usage Extension Constraint">
+                    <description>This constraint accepts the Key Usage extension, if present, only when Criticality=true, Digital Signature=true, Non-Repudiation=true, Key Encipherment=true, Data Encipherment=true, Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false</description>
+                    <classId>keyUsageExtConstraintImpl</classId>
+                    <constraint id="keyUsageCritical">
+                        <descriptor>
+                            <Syntax>choice</Syntax>
+                            <Constraint>true,false,-</Constraint>
+                            <Description>Criticality</Description>
+                            <DefaultValue>-</DefaultValue>
+                        </descriptor>
+                        <value>true</value>
+                    </constraint>
+                    <constraint id="keyUsageDigitalSignature">
+                        <descriptor>
+                            <Syntax>choice</Syntax>
+                            <Constraint>true,false,-</Constraint>
+                            <Description>Digital Signature</Description>
+                            <DefaultValue>-</DefaultValue>
+                        </descriptor>
+                        <value>true</value>
+                    </constraint>
+                    <constraint id="keyUsageNonRepudiation">
+                        <descriptor>
+                            <Syntax>choice</Syntax>
+                            <Constraint>true,false,-</Constraint>
+                            <Description>Non-Repudiation</Description>
+                            <DefaultValue>-</DefaultValue>
+                        </descriptor>
+                        <value>true</value>
+                    </constraint>
+                    <constraint id="keyUsageKeyEncipherment">
+                        <descriptor>
+                            <Syntax>choice</Syntax>
+                            <Constraint>true,false,-</Constraint>
+                            <Description>Key Encipherment</Description>
+                            <DefaultValue>-</DefaultValue>
+                        </descriptor>
+                        <value>true</value>
+                    </constraint>
+                    <constraint id="keyUsageDataEncipherment">
+                        <descriptor>
+                            <Syntax>choice</Syntax>
+                            <Constraint>true,false,-</Constraint>
+                            <Description>Data Encipherment</Description>
+                            <DefaultValue>-</DefaultValue>
+                        </descriptor>
+                        <value>true</value>
+                    </constraint>
+                    <constraint id="keyUsageKeyAgreement">
+                        <descriptor>
+                            <Syntax>choice</Syntax>
+                            <Constraint>true,false,-</Constraint>
+                            <Description>Key Agreement</Description>
+                            <DefaultValue>-</DefaultValue>
+                        </descriptor>
+                        <value>false</value>
+                    </constraint>
+                    <constraint id="keyUsageKeyCertSign">
+                        <descriptor>
+                            <Syntax>choice</Syntax>
+                            <Constraint>true,false,-</Constraint>
+                            <Description>Key CertSign</Description>
+                            <DefaultValue>-</DefaultValue>
+                        </descriptor>
+                        <value>false</value>
+                    </constraint>
+                    <constraint id="keyUsageCrlSign">
+                        <descriptor>
+                            <Syntax>choice</Syntax>
+                            <Constraint>true,false,-</Constraint>
+                            <Description>CRL Sign</Description>
+                            <DefaultValue>-</DefaultValue>
+                        </descriptor>
+                        <value>false</value>
+                    </constraint>
+                    <constraint id="keyUsageEncipherOnly">
+                        <descriptor>
+                            <Syntax>choice</Syntax>
+                            <Constraint>true,false,-</Constraint>
+                            <Description>Encipher Only</Description>
+                            <DefaultValue>-</DefaultValue>
+                        </descriptor>
+                        <value>false</value>
+                    </constraint>
+                    <constraint id="keyUsageDecipherOnly">
+                        <descriptor>
+                            <Syntax>choice</Syntax>
+                            <Constraint>true,false,-</Constraint>
+                            <Description>Decipher Only</Description>
+                            <DefaultValue>-</DefaultValue>
+                        </descriptor>
+                        <value>false</value>
+                    </constraint>
+                </constraint>
+            </value>
+            <value id="7">
+                <def id="Extended Key Usage Extension Default" classId="extendedKeyUsageExtDefaultImpl">
+                    <description>This default populates an Extended Key Usage Extension () to the request. The default values are Criticality=false, OIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2</description>
+                    <policyAttribute name="exKeyUsageCritical">
+                        <Descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Criticality</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="exKeyUsageOIDs">
+                        <Descriptor>
+                            <Syntax>string_list</Syntax>
+                            <Description>Comma-Separated list of Object Identifiers</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                    <params name="exKeyUsageCritical">
+                        <value>false</value>
+                    </params>
+                    <params name="exKeyUsageOIDs">
+                        <value>1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2</value>
+                    </params>
+                </def>
+                <constraint id="No Constraint">
+                    <description>No Constraint</description>
+                    <classId>noConstraintImpl</classId>
+                </constraint>
+            </value>
+            <value id="8">
+                <def id="Signing Alg" classId="signingAlgDefaultImpl">
+                    <description>This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA256withRSA</description>
+                    <policyAttribute name="signingAlg">
+                        <Descriptor>
+                            <Syntax>choice</Syntax>
+                            <Constraint>SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA</Constraint>
+                            <Description>Signing Algorithm</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                    <params name="signingAlg">
+                        <value>-</value>
+                    </params>
+                </def>
+                <constraint id="No Constraint">
+                    <description>This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</description>
+                    <classId>signingAlgConstraintImpl</classId>
+                    <constraint id="signingAlgsAllowed">
+                        <descriptor>
+                            <Syntax>string</Syntax>
+                            <Description>Allowed Signing Algorithms</Description>
+                            <DefaultValue>SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</DefaultValue>
+                        </descriptor>
+                        <value>SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</value>
+                    </constraint>
+                </constraint>
+            </value>
+            <value id="9">
+                <def id="CRL Distribution Points Extension Default" classId="crlDistributionPointsExtDefaultImpl">
+                    <description>This default populates a CRL Distribution Points Extension (2.5.29.31) to the request. The default values are Criticality=false, Record #0 Point Type:URIName,Point Name:http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin,Reasons:,Issuer Type:DirectoryName,Issuer Name:CN=Certificate Authority,o=ipaca,Enable:true)</description>
+                    <policyAttribute name="crlDistPointsCritical">
+                        <Descriptor>
+                            <Syntax>boolean</Syntax>
+                            <Description>Criticality</Description>
+                            <DefaultValue>false</DefaultValue>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="crlDistPointsValue">
+                        <Descriptor>
+                            <Syntax>string_list</Syntax>
+                            <Description>CRL Distribution Points</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                    <params name="crlDistPointsCritical">
+                        <value>false</value>
+                    </params>
+                    <params name="crlDistPointsNum">
+                        <value>1</value>
+                    </params>
+                    <params name="crlDistPointsPointType_0">
+                        <value>URIName</value>
+                    </params>
+                    <params name="crlDistPointsPointName_0">
+                        <value>http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin</value>
+                    </params>
+                    <params name="crlDistPointsReasons_0">
+                        <value></value>
+                    </params>
+                    <params name="crlDistPointsIssuerType_0">
+                        <value>DirectoryName</value>
+                    </params>
+                    <params name="crlDistPointsIssuerName_0">
+                        <value>CN=Certificate Authority,o=ipaca</value>
+                    </params>
+                    <params name="crlDistPointsEnable_0">
+                        <value>true</value>
+                    </params>
+                </def>
+                <constraint id="No Constraint">
+                    <description>No Constraint</description>
+                    <classId>noConstraintImpl</classId>
+                </constraint>
+            </value>
+            <value id="10">
+                <def id="Subject Key Identifier Extension Default" classId="subjectKeyIdentifierExtDefaultImpl">
+                    <description>This default populates a Subject Key Identifier Extension (2.5.29.14) to the request.</description>
+                    <policyAttribute name="critical">
+                        <Descriptor>
+                            <Syntax>string</Syntax>
+                            <Constraint>readonly</Constraint>
+                            <Description>Criticality</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                    <policyAttribute name="keyid">
+                        <Descriptor>
+                            <Syntax>string</Syntax>
+                            <Constraint>readonly</Constraint>
+                            <Description>Key ID</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                </def>
+                <constraint id="No Constraint">
+                    <description>No Constraint</description>
+                    <classId>noConstraintImpl</classId>
+                </constraint>
+            </value>
+            <value id="11">
+                <def id="User Supplied Extension Default" classId="userExtensionDefaultImpl">
+                    <description>This default populates a User-Supplied Extension (2.5.29.17) to the request.</description>
+                    <policyAttribute name="userExtOID">
+                        <Descriptor>
+                            <Syntax>string</Syntax>
+                            <Constraint>readonly</Constraint>
+                            <Description>Object Identifier</Description>
+                        </Descriptor>
+                    </policyAttribute>
+                    <params name="userExtOID">
+                        <value>2.5.29.17</value>
+                    </params>
+                </def>
+                <constraint id="No Constraint">
+                    <description>No Constraint</description>
+                    <classId>noConstraintImpl</classId>
+                </constraint>
+            </value>
+        </PolicySet>
+    </PolicySets>
+</Profile>
diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl
new file mode 100644
index 0000000000000000000000000000000000000000..7fc2281ee14d06ef707617e27824f1fc787055c2
--- /dev/null
+++ b/ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl
@@ -0,0 +1,109 @@
+auth.instance_id=raCertAuth
+classId=caEnrollImpl
+profileId=caIPAserviceCert_mal
+visible=false
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+enable=true
+enableBy=ipara
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+input.list=i1,i2
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, {ipacertbase}
+policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.10.constraint.name=No Constraint
+policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
+policyset.serverCertSet.10.default.params.critical=false
+policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.11.constraint.name=No Constraint
+policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
+policyset.serverCertSet.11.default.name=User Supplied Extension Default
+policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.{ipadomain}/ca/ocsp
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
+policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
+policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
+policyset.serverCertSet.9.default.params.crlDistPointsNum=1
+policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin
+policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
+policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12
diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl
new file mode 100644
index 0000000000000000000000000000000000000000..cff15446276bb2f792beff33103846b046ce2a8d
--- /dev/null
+++ b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl
@@ -0,0 +1,109 @@
+auth.instance_id=raCertAuth
+classId=caEnrollImpl
+profileId=caIPAserviceCert_mod
+visible=false
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+enable=true
+enableBy=ipara
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+input.list=i1,i2
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, {ipacertbase}
+policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.10.constraint.name=No Constraint
+policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
+policyset.serverCertSet.10.default.params.critical=false
+policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.11.constraint.name=No Constraint
+policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
+policyset.serverCertSet.11.default.name=User Supplied Extension Default
+policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.{ipadomain}/ca/ocsp
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
+policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
+policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
+policyset.serverCertSet.9.default.params.crlDistPointsNum=1
+policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin
+policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
+policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl
new file mode 100644
index 0000000000000000000000000000000000000000..3fa2970b0ad87c3ff91b885be6f387d7de05cb05
--- /dev/null
+++ b/ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl
@@ -0,0 +1,109 @@
+auth.instance_id=raCertAuth
+classId=caEnrollImpl
+profileId=caIPAserviceCert_mod
+visible=false
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+enable=true
+enableBy=ipara
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+input.list=i1,i2
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, {ipacertbase}
+policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.10.constraint.name=No Constraint
+policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
+policyset.serverCertSet.10.default.params.critical=false
+policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.11.constraint.name=No Constraint
+policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
+policyset.serverCertSet.11.default.name=User Supplied Extension Default
+policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.{ipadomain}/ca/ocsp
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
+policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
+policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
+policyset.serverCertSet.9.default.params.crlDistPointsNum=1
+policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.{ipadomain}/ipa/crl/MasterCRL.bin
+policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
+policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12
diff --git a/ipatests/test_xmlrpc/test_certprofile_plugin.py b/ipatests/test_xmlrpc/test_certprofile_plugin.py
index 8fd81bc3f0cc7896adb9fdb6904ace1e7ebc52b3..2875cfe110dfbd98eb826e7208569632a60ac60e 100644
--- a/ipatests/test_xmlrpc/test_certprofile_plugin.py
+++ b/ipatests/test_xmlrpc/test_certprofile_plugin.py
@@ -11,8 +11,9 @@ import os
 
 import pytest
 
-from ipalib import errors
+from ipalib import api, errors
 from ipapython.dn import DN
+from ipatests.util import prepare_config
 from ipatests.test_xmlrpc.ldaptracker import Tracker
 from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, raises_exact
 from ipatests.test_xmlrpc import objectclasses
@@ -138,3 +139,203 @@ class CertprofileTracker(Tracker):
             summary=u'Modified Certificate Profile "{}"'.format(self.name),
             result=self.filter_attrs(self.update_keys | set(extra_keys))
         ), result)
+
+
+IPA_CERT_SUBJ_BASE = (
+    api.Command.config_show()
+    ['result']['ipacertificatesubjectbase'][0]
+)
+
+BASE_DIR = os.path.dirname(__file__)
+CA_IPA_SERVICE_MODIFIED_TEMPLATE = os.path.join(
+    BASE_DIR, 'data/caIPAserviceCert_mod.cfg.tmpl')
+
+CA_IPA_SERVICE_MODIFIED_MALFORMED_TEMPLATE = os.path.join(
+    BASE_DIR, 'data/caIPAserviceCert_mod_mal.cfg.tmpl')
+
+CA_IPA_SERVICE_MALFORMED_TEMPLATE = os.path.join(
+    BASE_DIR, 'data/caIPAserviceCert_mal.cfg.tmpl')
+
+CA_IPA_SERVICE_XML_TEMPLATE = os.path.join(
+    BASE_DIR, 'data/caIPAserviceCert.xml.tmpl')
+
+RENAME_ERR_TEMPL = (
+    u'certprofile {} cannot be deleted/modified: '
+    'Certificate profiles cannot be renamed')
+
+
+@pytest.fixture(scope='class')
+def default_profile(request):
+    name = 'caIPAserviceCert'
+    desc = u'Standard profile for network services'
+    tracker = CertprofileTracker(name, store=True, desc=desc)
+    tracker.track_create()
+    return tracker
+
+
+@pytest.fixture(scope='class')
+def user_profile(request):
+    name = 'caIPAserviceCert_mod'
+    profile_path = prepare_config(
+        CA_IPA_SERVICE_MODIFIED_TEMPLATE,
+        dict(
+            ipadomain=api.env.domain,
+            ipacertbase=IPA_CERT_SUBJ_BASE))
+
+    tracker = CertprofileTracker(
+        name, store=True, desc=u'Storing copy of a profile',
+        profile=profile_path
+    )
+
+    return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def malformed(request):
+    name = u'caIPAserviceCert_mal'
+    profile_path = prepare_config(
+        CA_IPA_SERVICE_MALFORMED_TEMPLATE,
+        dict(
+            ipadomain=api.env.domain,
+            ipacertbase=IPA_CERT_SUBJ_BASE))
+
+    tracker = CertprofileTracker(name, store=True, desc=u'malformed profile',
+                                 profile=profile_path)
+
+    # Do not return with finalizer. There should be nothing to delete
+    return tracker
+
+
+@pytest.fixture(scope='class')
+def xmlprofile(request):
+    name = u'caIPAserviceCert_xml'
+    profile_path = prepare_config(
+        CA_IPA_SERVICE_XML_TEMPLATE,
+        dict(
+            ipadomain=api.env.domain,
+            ipacertbase=IPA_CERT_SUBJ_BASE))
+
+    tracker = CertprofileTracker(name, store=True, desc=u'xml format profile',
+                                 profile=profile_path)
+
+    return tracker
+
+
+class TestDefaultProfile(XMLRPC_test):
+    def test_default_profile_present(self, default_profile):
+        default_profile.retrieve()
+
+    def test_deleting_default_profile(self, default_profile):
+        with pytest.raises(errors.ValidationError):
+            default_profile.delete()
+
+    def test_try_rename_by_setattr(self, default_profile):
+        command = default_profile.make_update_command(
+            updates=dict(setattr=u'cn=bogus'))
+        errmsg = RENAME_ERR_TEMPL.format(default_profile.name)
+
+        with raises_exact(errors.ProtectedEntryError(message=errmsg)):
+            command()
+
+    def test_try_rename_by_rename_option(self, default_profile):
+        command = default_profile.make_update_command(dict(rename=u'bogus_id'))
+        with pytest.raises(errors.OptionError):
+            command()
+
+
+class TestProfileCRUD(XMLRPC_test):
+    def test_create_duplicate(self, user_profile):
+        msg = u'Certificate Profile with name "{}" already exists'
+        user_profile.ensure_exists()
+        command = user_profile.make_create_command(force=True)
+        with raises_exact(errors.DuplicateEntry(
+                message=msg.format(user_profile.name))):
+            command()
+
+    def test_retrieve_simple(self, user_profile):
+        user_profile.retrieve()
+
+    def test_retrieve_all(self, user_profile):
+        user_profile.retrieve(all=True)
+
+    def test_export_profile(self, tmpdir, user_profile):
+        profile = tmpdir.join('{}.cfg'.format(user_profile.name))
+
+        command = user_profile.make_retrieve_command(out=unicode(profile))
+        command()
+
+        content = profile.read()
+        assert user_profile.name in content
+
+    def test_search_simple(self, user_profile):
+        user_profile.find()
+
+    def test_search_all(self, user_profile):
+        user_profile.find(all=True)
+
+    def test_update_store(self, user_profile):
+        user_profile.update(
+            dict(
+                ipacertprofilestoreissued=False
+            ),
+            expected_updates=dict(
+                ipacertprofilestoreissued=[u'FALSE']
+            )
+        )
+
+    def test_update_description(self, user_profile):
+        new_desc = u'new description'
+        user_profile.update(
+            dict(
+                description=new_desc
+            ),
+            expected_updates=dict(
+                description=[new_desc]
+            )
+        )
+
+    def test_update_by_malformed_profile(self, user_profile):
+        profile_path = prepare_config(
+            CA_IPA_SERVICE_MODIFIED_MALFORMED_TEMPLATE,
+            dict(
+                ipadomain=api.env.domain,
+                ipacertbase=IPA_CERT_SUBJ_BASE))
+
+        with open(profile_path, ) as f:
+            profile_content = f.read()
+        command = user_profile.make_update_command(
+            dict(file=unicode(profile_content)))
+
+        with pytest.raises(errors.ExecutionError):
+            command()
+
+    def test_try_rename_by_setattr(self, user_profile):
+        user_profile.ensure_exists()
+        command = user_profile.make_update_command(
+            updates=dict(setattr=u'cn=bogus'))
+        errmsg = RENAME_ERR_TEMPL.format(user_profile.name)
+
+        with raises_exact(errors.ProtectedEntryError(message=errmsg)):
+            command()
+
+    def test_delete(self, user_profile):
+        user_profile.ensure_exists()
+        user_profile.delete()
+
+    def test_try_rename_by_rename_option(self, user_profile):
+        user_profile.ensure_exists()
+        command = user_profile.make_update_command(dict(rename=u'bogus_id'))
+        with pytest.raises(errors.OptionError):
+            command()
+
+
+class TestMalformedProfile(XMLRPC_test):
+    def test_malformed_import(self, malformed):
+        with pytest.raises(errors.ExecutionError):
+            malformed.create()
+
+
+class TestImportFromXML(XMLRPC_test):
+    def test_import_xml(self, xmlprofile):
+        with pytest.raises(errors.ExecutionError):
+            xmlprofile.ensure_exists()
diff --git a/ipatests/util.py b/ipatests/util.py
index 5a6595a62b2fa677d3a6db98d18bc19cbd68a9c3..2039095b09c01856a49fd2ac5c35b5097ee94a8b 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -650,3 +650,13 @@ class MockLDAP(object):
     def unbind(self):
         if self.connection is not None:
             self.connection.unbind_s()
+
+
+def prepare_config(template, values):
+    with open(template) as f:
+        template = f.read()
+
+    with tempfile.NamedTemporaryFile(mode='w', delete=False) as config:
+        config.write(template.format(**values))
+
+    return config.name
-- 
2.5.2

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to