[Freeipa-devel] [patch 0038-0040] Sub CA test patches

Milan Kubík mkubik at redhat.com
Thu Jul 7 13:46:52 UTC 2016 

On 07/04/2016 08:57 AM, Fraser Tweedale wrote:
> Hi Milan,
>
> Yes, we can :)  Two issues, outlined below.
>
>
> 1)
> Running the tests, I get error in
> test_create_subca_with_subject_conflict cleanup::
>
>      ____________ ERROR at teardown of TestCAbasicCRUD.test_create_subca_with_subject_conflict _____________
>
>          def cleanup():
>              created = self.exists
>              try:
>                  del_command()
>
>      <snip>
>      E               NotFound: crud-subca-2: Certificate Authority not found
>
>
> I do not know testing framework very well but it looks like
> track_create() sets 'self.exists = True' before the create command
> throws the (expected) DuplicateEntry error.  (These are called from
> create() in the tracker 'base' class).  Later, cleanup() catches a
> NotFound but re-throws it because it believes the entry should have
> existed.
>
>
> 2)
> the usercert.conf.tmpl does not like a subject base with spaces in
> it, i.e. if 'openssl req' config template gets formatted like:
>
>      [ dn ]
>      commonName = "alice"
>      o=IPA.LOCAL 201606201330
>
> then 'openssl req' fails with nasty error like:
>
>      140644791924600:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:a_object.c:108:
>      140644791924600:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:x509name.c:295:name=o
>
> and CalledProcessError gets raised and the test fails.
>
> Simplest solution is to simply remove the '{ipacertbase}' from the
> template, because AFAIK it is not needed and parsing and formatting
> the certbase (which could have multiple AVAs) is more complex than
> the test calls for, IMO.
>
>
> Thanks,
> Fraser
Hi, thanks.

I must have missed the first issue after I removed the expected fail 
marker. I have fixed it now.

As for the usercert template, this code is older than the issues at 
hand. I do not remember why exactly I used that
option in the openssl config. I have removed that in a new patch.


-- 
Milan Kubik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkubik-0038-2-ipatests-Tracker-implementation-for-Sub-CA-feature.patch
Type: text/x-patch
Size: 11842 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160707/8aac5fc8/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkubik-0039-2-ipatests-Extend-CAACL-suite-to-cover-Sub-CA-members.patch
Type: text/x-patch
Size: 6442 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160707/8aac5fc8/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkubik-0040-2-ipatests-Test-Sub-CA-with-CAACL-and-certificate-prof.patch
Type: text/x-patch
Size: 6341 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160707/8aac5fc8/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkubik-0041-ipatests-remove-ipacertbase-option-from-test-CSR-con.patch
Type: text/x-patch
Size: 1919 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160707/8aac5fc8/attachment-0003.bin>

More information about the Freeipa-devel mailing list