[Freeipa-devel] [PATCH] 1085 cert-find command
Rob Crittenden
rcritten at redhat.com
Wed Feb 6 18:23:20 UTC 2013
Petr Viktorin wrote:
> On 02/06/2013 12:44 AM, Rob Crittenden wrote:
>> This adds a cert-find command for the dogtag backend.
>>
>> Searches can be done by serial number, by subject, revocation reason,
>> issue date, notbefore, notafter and revocation dates.
>>
>> I added some basic tests for this. I made it a separate test file
>> because the cert plugin tests do not use the declarative format and rely
>> on the selfsign backend by default.
>>
>> rob
>
> Thanks! The code works well, but I found a few issues.
>
>
> These tests don't work when the full test suite is run: test_cert adds
> and revokes additional certs that throw the code off.
> Perhaps have the tests only query valid certs? I don't see that option
> but I think it would be helpful to support.
I added some rather nasty hacks to the test to make things pass. I limit
the search to 10 certificates, which is the number start with by
default. There is an open dogtag ticket to return only VALID
certificates so we should be able to drop this eventually.
I had to go further on one of the revocation tests, limiting it to a
sizelimit of 1. The count changes every time the suite runs so this is
the safest for now. It also means that one test will fail if this is the
only part of the suite executed.
>
>
> The API.txt check fails:
> Option sizelimit? of command cert_find in ipalib, not in API file:
>
>
> Int('sizelimit?', default=100, minvalue=0)
Ouch. I thought I had fixed that, obviously not. Done now.
>
> What are --all and --raw for? Is the plan to implement --all if/when
> Dogtag supports requesting additional data?
Correct, they don't do anything at the moment. I have an RFE open to
return additional data from certs. Once that is done then all will make
sense. I don't know that raw will ever do anything interesting here but
it comes with all commands.
>
> The format of --validnotbefore-to and friends should be mentioned in
> --help text; the following is confusing:
> $ ipa cert-show 1
> [...]
> Not Before: Wed Feb 06 09:32:17 2013 UTC
> [...]
> $ ipa cert-find -h
> [...]
> --validnotbefore-to=STR
> Valid not before to this date
> [...]
> $ ipa cert-find --validnotbefore-to='Wed Feb 06 09:32:17 2013 UTC'
> ipa: ERROR: invalid 'validnotbefore_to': time data u'Wed Feb 06 09:32:17
> 2013 UTC' does not match format '%Y-%m-%d'
It was listed in the top block but I added it to the usage help as well
for clarity.
> Could you make the help text for --exactly more specific?
Done.
> Please remove the extra whitespace at the end of dogtag.py
>
> I'd welcome a link to the design page in the commit message.
>
both done
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1085-2-cert-find.patch
Type: text/x-diff
Size: 33683 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130206/cf4b02b9/attachment.bin>
More information about the Freeipa-devel
mailing list