[Freeipa-devel] cert profiles - test plan + patches

Fraser Tweedale ftweedal at redhat.com
Tue Aug 11 00:58:40 UTC 2015 

On Mon, Aug 10, 2015 at 06:50:57PM +0200, Milan Kubík wrote:
> Hi,
> 
> On 08/10/2015 05:24 PM, Scott Poore wrote:
> >
> >----- Original Message -----
> >>From: "Milan Kubík" <mkubik at redhat.com>
> >>To: "freeipa-devel" <freeipa-devel at redhat.com>, "Scott Poore" <spoore at redhat.com>, "Fraser Tweedale"
> >><ftweedal at redhat.com>
> >>Cc: "Namita Soman" <nsoman at redhat.com>, "Ales Marecek" <amarecek at redhat.com>
> >>Sent: Monday, August 10, 2015 4:36:31 AM
> >>Subject: Re: cert profiles - test plan + patches
> >>
> >>On 08/05/2015 02:57 PM, Milan Kubík wrote:
> >>>Hi list,
> >>>
> >>>I'm sending the test plan [1] for certificate profiles and preliminary
> >>>patches for it.
> >>>The plan covers basic CRUD test and some corner cases. I'm open to more
> >>>suggestions.
> >>>
> >>>More complicated tests involving certificate profiles will require the
> >>>code (and tests)
> >>>for CA ACLs merged, so it's not there at the moment.
> >>>
> >>>There are some unfinished test cases in places I wasn't sure what the
> >>>result should be.
> >>>We need to iterate through these to fix it.
> >>>
> >>>
> >>>[1]: http://www.freeipa.org/page/V4/Certificate_Profiles/Test_Plan
> >>>
> >>>Cheers,
> >>>Milan
> >>Hi all,
> >>
> >>have you had some time to look at the code and proposal?
> >>Today I want to write a basic CRUD test for the ACLs as well as a few
> >>test cases to check if the ACL is being enforced. It should make it into
> >>wiki today or by tomorrow. I'll send an update then.
> >I haven't looked at the actual code yet.  Is it checked into git for freeipa yet?
> >
> >This looks good to me for the basic CRUD tests.   I do have some questions and requests.
> >
> >Existing tests:
> >
> >* Delete default profile
> >- Did you find out what the expected result should be?
> >
> I reported this when Fraser was implementing the feature. He decided to
> allow this (earlier it has failed).
> At the time I didn't suggest otherwise. The design/documentation could be
> more clear on this
> as for, is it allowed to delete all profiles? Doing this will break an awful
> lot of things. The same applies to
> ACLs as well, Sub CAs later ditto. Deleting the default profile will break
> things even if other profiles
> remain as it is a default, when not specified in cert-request.
> 
> Fraser, what do you think?
>
Yes, I think we should prevent deletion of default profile.  I will
file ticket and produce patch.

I'm undecided about whether to prohibit deletion of other included
profiles (of which there are currently zero, but it won't stay that
way for long).

> >* Try to rename the profile entry
> >- Can this be renamed to be more specific to trying to rename ldap attr?
> >- Can we get a new test case to test renaming with certprofile-mod --rename?
> ACK
> >Possible new tests:
> >
> >* Import a profile in xml
> >- This should fail and I think is at least in the beginning a common mistake.
> I will add this.
>
+1; agree on failure being expected result.

> >* Change profile config from file
> >- This one may be too large in scope but, could be limited to changing something simple to make sure the file is read and used.
> ACK. Though this will be a part of the more complicated scenario.
> >Where are you planning to put the CA ACL tests?  In the same page?
> I originally planned to put it under sub CAs, but since the specification
> for CA ACLs moved into the certificate profiles design, I can add it there.
> Counting will be done separately from test cases for profiles and it will be
> implemented (at least the CRUD test cases) in a module where the ACL Tracker
> will be implemented.
> >When you have that will you be adding a cert-request test?
> Yes. I will need to use cert-request to test if the ACL/profile is enforced,
> if enabled/disabled
> is in effect. I will not implement this in a module for cert-request,
> though.
> I think it will be better to implement these in a separate module to signify
> it is a test
> of a conjunction of several parts of the feature (profiles, ACLs and Sub
> CAs,
> once this is implemented.
> If you think otherwise, I'm open to suggestions.
>
Separate module makes sense.

Cheers,
Fraser

> >Thanks,
> >Scott
> >>Cheers,
> >>Milan
> >>
> >>
> >>
> >>
> 
> Cheers,
> Milan

More information about the Freeipa-devel mailing list