<html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 10/19/2015 01:38 PM, Martin Basti wrote: </div> <blockquote cite="mid:5624D61E.20106@redhat.com" type="cite"> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <div class="moz-cite-prefix">On 16.10.2015 15:43, Milan Kubík wrote: </div> <blockquote cite="mid:5620FEF1.70808@redhat.com" type="cite"> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <div class="moz-cite-prefix">On 09/30/2015 02:47 PM, Martin Basti wrote: </div> <blockquote cite="mid:560BD9C8.2070205@redhat.com" type="cite"> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <div class="moz-cite-prefix">On 09/24/2015 02:49 PM, Milan Kubík wrote: </div> <blockquote cite="mid:5603F13E.4060805@redhat.com" type="cite">Hi all, an update for CA ACL tests! I, with help from M. Babinsky, managed to find a way how to change the identity during acceptance cest run, which allows to test CA ACLs (and perhaps other areas with some form of access controll). This allowed me to write a test for CA ACLs and certificate profiles that checks if the ACL/profile is being used and enforced. The first several tests are based on Fraser's blogpost using SMIME profile [1]. The master and ipa-4-2 branches diverged a bit, so I had to change two commits when rebasing to ipa-4-2 branch. Commits should be applied in the order (including rebased patches I sent in an earlier email): master: * 12 - 17 ipa-4-2: * 18, 13 - 15, 19, 17 For convenience: patches on top of master: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://github.com/apophys/freeipa/tree/acl-profile-functional">https://github.com/apophys/freeipa/tree/acl-profile-functional</a> patches on top of ipa-4-2: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://github.com/apophys/freeipa/tree/acl-42">https://github.com/apophys/freeipa/tree/acl-42</a> [1]: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/">https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/</a> Cheers, Milan <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> NACK 0) rpm file does not contain test_xmlrpc/data directory, please modify setup.py.in. 1) Code contains to much todo for my taste. 2) Please do not use filter function, use dict comprehension. </blockquote> Hi, updated patches and the numbering mess somehow curbed. The patches are rebased on top of current master and ipa-4-2. 0) fixed by 0021 1) docs for tracker extended, added more test cases 2) changed <pre class="moz-signature" cols="72">-- Milan Kubik</pre> </blockquote> I have a few comments: 1) +# TODO: rewrite these into Tracker instances +@pytest.fixture(scope='class') +def smime_user(request): + api.Command.user_add(uid=u'alice', givenname=u'Alice', sn=u'SMIME', + userpassword=u'Change123') + + unlock_principal_password('alice', 'Change123', 'Secret123') + + def fin(): + api.Command.user_del(u'alice') + request.addfinalizer(fin) + + return u'alice' I do not like hardcoded password value, as this password is used in many places in the test, I sugest to use a module variable </blockquote> Done <blockquote cite="mid:5624D61E.20106@redhat.com" type="cite"> 2) +class TestSignWithChangedProfile(XMLRPC_test): + """ Test to verify that the updated profile is used.""" + pass # import invalid profile, try to sign, expect fail IMO something is missing here, a test maybe? </blockquote> Done by using profile with constraint that CSR cannot meet. <blockquote cite="mid:5624D61E.20106@redhat.com" type="cite"> 3) # noqa Please remove "# noqa" commets from commits </blockquote> Done. <pre class="moz-signature" cols="72">-- Milan Kubik</pre> </body> </html>