[Freeipa-devel] [freeipa PR#947][opened] test_caless: add SAN dNSName extensions for wildcard tests

Tue, 01 Aug 2017 00:54:06 -0700 

   URL: https://github.com/freeipa/freeipa/pull/947
Author: Rezney
 Title: #947: test_caless: add SAN dNSName extensions for wildcard tests
Action: opened

PR body:
"""
It may happen that FQDN does not match with the domain mapped to
the host. In this case we add wildcard for both domains.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/947/head:pr947
git checkout pr947

From 317ab4d5a57ed83e366ff54243d6bc01630e7c5f Mon Sep 17 00:00:00 2001
From: Michal Reznik <mrez...@redhat.com>
Date: Fri, 28 Jul 2017 08:54:54 +0200
Subject: [PATCH] test_caless: add SAN dNSName extensions for wildcard tests

It may happen that FQDN does not match with the domain mapped to
the host. In this case we add wildcard for both domains.
---
 ipatests/test_integration/create_caless_pki.py | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/create_caless_pki.py b/ipatests/test_integration/create_caless_pki.py
index ddad3f96bc..2eb5c8ee9a 100644
--- a/ipatests/test_integration/create_caless_pki.py
+++ b/ipatests/test_integration/create_caless_pki.py
@@ -162,7 +162,7 @@ def profile_ca(builder, ca_nick, ca):
 
 def profile_server(builder, ca_nick, ca,
                    warp=datetime.timedelta(days=0), dns_name=None,
-                   badusage=False):
+                   badusage=False, wildcard=False):
     now = datetime.datetime.utcnow() + warp
 
     builder = builder.not_valid_before(now)
@@ -204,6 +204,21 @@ def profile_server(builder, ca_nick, ca,
             critical=False
         )
 
+    if wildcard:
+        server_domain = server1.split('.', 1)[1]
+        if domain != server_domain:
+            builder = builder.add_extension(
+                x509.SubjectAlternativeName([
+                     x509.DNSName(u'*.' + domain),
+                     x509.DNSName(u'*.' + server_domain),
+                ]),
+                critical=False,
+            )
+        else:
+            builder = builder.add_extension(
+                x509.SubjectAlternativeName([x509.DNSName(u'*.' + domain)]),
+                critical=False,
+            )
     return builder
 
 
@@ -488,7 +503,7 @@ def gen_subtree(nick_base, org, ca=None):
                 x509.NameAttribute(NameOID.ORGANIZATION_NAME, org),
                 x509.NameAttribute(NameOID.COMMON_NAME, u'*.' + domain)
              ]),
-             subca
+             subca, wildcard=True
              )
     gen_server_certs(u'server', server1, org, subca)
     gen_server_certs(u'replica', server2, org, subca)

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to