Re: [Freeipa-devel] [PATCH] 0257 Add initial CA-less installation tests
On 27.8.2013 10:16, Petr Viktorin wrote:
On 08/26/2013 09:23 AM, Jan Cholasta wrote:
On 22.8.2013 09:46, Petr Viktorin wrote:
On 08/16/2013 07:13 PM, Petr Viktorin wrote:
On 07/30/2013 05:47 PM, Petr Viktorin wrote:
Hello,
This patch implements the first batch of integration tests for CA-less
intallation. Tests from http://www.freeipa.org/page/V3/CA-less_install
up to IPA server install with missing DS PKCS#12 password are
included.
Running this already takes an hour in the lab I use, so I decided to
split the patch up and post the first part for review now.
The two tests for revoked certificates fail. This is expected as we
don't handle revoked certs yet.
Continuing, this patch includes all tests except the ones for UI
(pvoborni's patch 443) and certinstall (I'll review jcholast's fixes
first).
See commit message for details.
Here is the completed patch, with all test except the Web UI ones.
- The following case is omitted as it is invalid:
- Verify that IPA client install does not configure certmonger
Instead of making a note in the commit, I would prefer if you deleted
the test case. There's no need to keep it if it's invalid, right?
Honza
You're right. I've deleted the case from the test plan.
Thanks.
The service-disable and host-disable tests fail with AlreadyInactive,
because the certificate is removed with service-mod and host-mod in
earlier tests. I think the service and host command tests should look
like this:
1. Verify that {service,host}-del does not attempt to revoke
{host,service}'s certificate
{service,host}-add
{service,host}-del
2. Verify that {service,host}-mod does not attempt to revoke
{host,service}'s certificate
{service,host}-add
{service,host}-mod
{service,host}-del
3. Verify that {service,host}-disable does not attempt to revoke
{host,service}'s certificate
{service,host}-add
{service,host}-disable
{service,host}-del
There are a few wrong docstrings:
+def test_service_mod_doesnt_revoke(self):
+Verify that service-mod does not attempt to revoke host's
certificate
+def test_service_del_doesnt_revoke(self):
+Verify that service-del does not attempt to revoke host's
certificate
+def test_ds_san(self):
+Install new HTTP certificate with SAN
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0257 Add initial CA-less installation tests
On 28.8.2013 17:15, Petr Viktorin wrote:
On 08/28/2013 03:23 PM, Jan Cholasta wrote:
Thanks.
The service-disable and host-disable tests fail with AlreadyInactive,
because the certificate is removed with service-mod and host-mod in
earlier tests. I think the service and host command tests should look
like this:
1. Verify that {service,host}-del does not attempt to revoke
{host,service}'s certificate
{service,host}-add
{service,host}-del
2. Verify that {service,host}-mod does not attempt to revoke
{host,service}'s certificate
{service,host}-add
{service,host}-mod
{service,host}-del
3. Verify that {service,host}-disable does not attempt to revoke
{host,service}'s certificate
{service,host}-add
{service,host}-disable
{service,host}-del
Fixed. I've used context managers so the -del isn't skipped when there's
an error.
There are a few wrong docstrings:
+def test_service_mod_doesnt_revoke(self):
+Verify that service-mod does not attempt to revoke host's
certificate
+def test_service_del_doesnt_revoke(self):
+Verify that service-del does not attempt to revoke host's
certificate
+def test_ds_san(self):
+Install new HTTP certificate with SAN
Fixed.
The TestIPACommands.service context manager does not call service-del.
TestCertInstall.test_ds_san docstring still says HTTP instead of DS.
Thanks for the review, fixed patch attached.
The service-disable test still fails, due to
https://fedorahosted.org/freeipa/ticket/3886.
OK.
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0257 Add initial CA-less installation tests
On 28.8.2013 19:39, Petr Viktorin wrote:
On 08/28/2013 06:24 PM, Jan Cholasta wrote:
On 28.8.2013 17:15, Petr Viktorin wrote:
On 08/28/2013 03:23 PM, Jan Cholasta wrote:
Thanks.
The service-disable and host-disable tests fail with AlreadyInactive,
because the certificate is removed with service-mod and host-mod in
earlier tests. I think the service and host command tests should look
like this:
1. Verify that {service,host}-del does not attempt to revoke
{host,service}'s certificate
{service,host}-add
{service,host}-del
2. Verify that {service,host}-mod does not attempt to revoke
{host,service}'s certificate
{service,host}-add
{service,host}-mod
{service,host}-del
3. Verify that {service,host}-disable does not attempt to revoke
{host,service}'s certificate
{service,host}-add
{service,host}-disable
{service,host}-del
Fixed. I've used context managers so the -del isn't skipped when there's
an error.
There are a few wrong docstrings:
+def test_service_mod_doesnt_revoke(self):
+Verify that service-mod does not attempt to revoke host's
certificate
+def test_service_del_doesnt_revoke(self):
+Verify that service-del does not attempt to revoke host's
certificate
+def test_ds_san(self):
+Install new HTTP certificate with SAN
Fixed.
The TestIPACommands.service context manager does not call service-del.
That's not necessary, deleting the host deletes all its services.
Ah, I missed the with self.host() part. How silly of me.
TestCertInstall.test_ds_san docstring still says HTTP instead of DS.
Fixed
ACK!
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0257 Add initial CA-less installation tests
On 08/28/2013 08:10 PM, Jan Cholasta wrote:
On 28.8.2013 19:39, Petr Viktorin wrote:
On 08/28/2013 06:24 PM, Jan Cholasta wrote:
On 28.8.2013 17:15, Petr Viktorin wrote:
On 08/28/2013 03:23 PM, Jan Cholasta wrote:
Thanks.
The service-disable and host-disable tests fail with AlreadyInactive,
because the certificate is removed with service-mod and host-mod in
earlier tests. I think the service and host command tests should look
like this:
1. Verify that {service,host}-del does not attempt to revoke
{host,service}'s certificate
{service,host}-add
{service,host}-del
2. Verify that {service,host}-mod does not attempt to revoke
{host,service}'s certificate
{service,host}-add
{service,host}-mod
{service,host}-del
3. Verify that {service,host}-disable does not attempt to revoke
{host,service}'s certificate
{service,host}-add
{service,host}-disable
{service,host}-del
Fixed. I've used context managers so the -del isn't skipped when
there's
an error.
There are a few wrong docstrings:
+def test_service_mod_doesnt_revoke(self):
+Verify that service-mod does not attempt to revoke host's
certificate
+def test_service_del_doesnt_revoke(self):
+Verify that service-del does not attempt to revoke host's
certificate
+def test_ds_san(self):
+Install new HTTP certificate with SAN
Fixed.
The TestIPACommands.service context manager does not call service-del.
That's not necessary, deleting the host deletes all its services.
Ah, I missed the with self.host() part. How silly of me.
TestCertInstall.test_ds_san docstring still says HTTP instead of DS.
Fixed
ACK!
Thanks again! Pushed to
master: 9b200c7c728604018bc56638a3d5e86c29d69099
ipa-3-3: c706859df2ae6a000d33874e4bb6bf79e9e9da52
--
PetrĀ³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0257 Add initial CA-less installation tests
On 22.8.2013 09:46, Petr Viktorin wrote: On 08/16/2013 07:13 PM, Petr Viktorin wrote: On 07/30/2013 05:47 PM, Petr Viktorin wrote: Hello, This patch implements the first batch of integration tests for CA-less intallation. Tests from http://www.freeipa.org/page/V3/CA-less_install up to IPA server install with missing DS PKCS#12 password are included. Running this already takes an hour in the lab I use, so I decided to split the patch up and post the first part for review now. The two tests for revoked certificates fail. This is expected as we don't handle revoked certs yet. Continuing, this patch includes all tests except the ones for UI (pvoborni's patch 443) and certinstall (I'll review jcholast's fixes first). See commit message for details. Here is the completed patch, with all test except the Web UI ones. - The following case is omitted as it is invalid: - Verify that IPA client install does not configure certmonger Instead of making a note in the commit, I would prefer if you deleted the test case. There's no need to keep it if it's invalid, right? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0257 Add initial CA-less installation tests
Hello,
This patch implements the first batch of integration tests for CA-less
intallation. Tests from http://www.freeipa.org/page/V3/CA-less_install
up to IPA server install with missing DS PKCS#12 password are included.
Running this already takes an hour in the lab I use, so I decided to
split the patch up and post the first part for review now.
The two tests for revoked certificates fail. This is expected as we
don't handle revoked certs yet.
--
PetrĀ³
From bff741accbf2baac2cc82b28a964bb4564bd9bf6 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 11 Jun 2013 20:25:56 -0400
Subject: [PATCH] Add initial CA-less installation tests
Add the first bunch of tests described at
http://www.freeipa.org/page/V3/CA-less_install
Tests up to IPA server install with missing DS PKCS#12 password
are included.
---
ipatests/setup.py.in | 1 +
.../test_integration/scripts/caless-create-pki | 113 +
ipatests/test_integration/test_caless.py | 533 +
3 files changed, 647 insertions(+)
create mode 100644 ipatests/test_integration/scripts/caless-create-pki
create mode 100644 ipatests/test_integration/test_caless.py
diff --git a/ipatests/setup.py.in b/ipatests/setup.py.in
index 3ea2729ee018f249a7d103140c01fbd95efd17f3..afbe9abc01415feb00aac04c9c15a09296481e01 100644
--- a/ipatests/setup.py.in
+++ b/ipatests/setup.py.in
@@ -79,6 +79,7 @@ def setup_package():
scripts=['ipa-run-tests', 'ipa-test-config', 'ipa-test-task'],
package_data = {
'ipatests.test_install': ['*.update'],
+'ipatests.test_integration': ['scripts/*'],
'ipatests.test_pkcs10': ['*.csr']}
)
finally:
diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki
new file mode 100644
index ..fcafce8d3dd5e82a18b70bc467ca8bc70353d418
--- /dev/null
+++ b/ipatests/test_integration/scripts/caless-create-pki
@@ -0,0 +1,113 @@
+#!/bin/bash -e
+
+profile_ca=(-t CT,C,C -v 120)
+profile_server=(-t ,, -v 12)
+
+gen_cert() {
+local profile=$1 nick=$2 subject=$3 ca options pwfile noise csr crt
+shift 3
+
+echo gen_cert(profile=$profile nick=$nick subject=$subject)
+
+ca=$(dirname $nick)
+if [ $ca = . ]; then
+ca=$nick
+fi
+
+eval options=(\\${profile_$profile[@]}\)
+if [ $ca = $nick ]; then
+options=(${options[@]} -x -m 1)
+else
+options=(${options[@]} -c $ca)
+fi
+
+pwfile=$(mktemp)
+echo $dbpassword $pwfile
+
+noise=$(mktemp)
+head -c 20 /dev/urandom $noise
+
+if [ ! -d $dbdir ]; then
+mkdir $dbdir
+certutil -N -d $dbdir -f $pwfile
+fi
+
+csr=$(mktemp)
+crt=$(mktemp)
+certutil -R -d $dbdir -s $subject -f $pwfile -z $noise -o $csr -4 /dev/null EOF
+1
+7
+file://$(readlink -f $dbdir)/$ca.crl
+-1
+-1
+-1
+n
+n
+EOF
+certutil -C -d $dbdir -f $pwfile -m $RANDOM -i $csr -o $crt ${options[@]} $@
+certutil -A -d $dbdir -n $nick -f $pwfile -i $crt ${options[@]}
+
+rm -f $pwfile $noise $csr $crt
+}
+
+revoke_cert() {
+local nick=$1 ca pwfile serial
+shift 1
+
+echo revoke_cert(nick=$nick)
+
+ca=$(dirname $nick)
+if [ $ca = . ]; then
+ca=$nick
+fi
+
+pwfile=$(mktemp)
+echo $dbpassword $pwfile
+
+if ! crlutil -L -d $dbdir -n $ca /dev/null; then
+crlutil -G -d $dbdir -n $ca -c /dev/null -f $pwfile
+fi
+
+sleep 1
+
+mkdir -p $(dirname $dbdir/$ca.crl)
+serial=$(certutil -L -d $dbdir -n $nick | awk '/^\s+Serial Number: / { print $3 }')
+crlutil -M -d $dbdir -n $ca -c /dev/stdin -f $pwfile -o $dbdir/$ca.crl EOF
+addcert $serial $(date -u +%Y%m%d%H%M%SZ)
+EOF
+
+rm -f $pwfile
+}
+
+gen_server_certs() {
+local nick=$1 hostname=$2 org=$3
+shift 3
+
+echo gen_server_certs(nick=$nick hostname=$hostname org=$org)
+
+gen_cert server $nick CN=$hostname,O=$org $@
+gen_cert server $nick-badname CN=not-$hostname,O=$org $@
+gen_cert server $nick-altname CN=alt-$hostname,O=$org -8 $hostname $@
+gen_cert server $nick-expired CN=$hostname,OU=Expired,O=$org -w -24 $@
+gen_cert server $nick-badusage CN=$hostname,OU=Bad Usage,O=$org --keyUsage dataEncipherment,keyAgreement $@
+gen_cert server $nick-revoked CN=$hostname,OU=Revoked,O=$org $@
+revoke_cert $nick-revoked
+}
+
+gen_subtree() {
+local nick=$1 org=$2
+shift 2
+
+echo gen_subtree(nick=$nick org=$org)
+
+gen_cert ca $nick CN=CA,O=$org $@
+gen_cert server $nick/wildcard CN=*.$domain,O=$org
+gen_server_certs $nick/server $server1 $org
+gen_server_certs $nick/replica $server2 $org
+}
+
+gen_cert server server-selfsign CN=$server1,O=Self-signed
+gen_cert server replica-selfsign CN=$server2,O=Self-signed
+gen_subtree ca1 'Example Organization'
+gen_subtree ca1/subca 'Subsidiary Example Organization'
