<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 20.10.2015 10:00, Milan Kubík wrote:<br>
</div>
<blockquote cite="mid:5625F493.9020109@redhat.com" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">On 10/19/2015 01:38 PM, Martin Basti
wrote:<br>
</div>
<blockquote cite="mid:5624D61E.20106@redhat.com" type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 16.10.2015 15:43, Milan Kubík
wrote:<br>
</div>
<blockquote cite="mid:5620FEF1.70808@redhat.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=utf-8">
<div class="moz-cite-prefix">On 09/30/2015 02:47 PM, Martin
Basti wrote:<br>
</div>
<blockquote cite="mid:560BD9C8.2070205@redhat.com" type="cite"><br>
<br>
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 09/24/2015 02:49 PM, Milan
Kubík<br>
wrote:<br>
<br>
</div>
<br>
<blockquote cite="mid:5603F13E.4060805@redhat.com"
type="cite">Hi<br>
all,<br>
<br>
<br>
<br>
<br>
an update for CA ACL tests!<br>
<br>
<br>
<br>
<br>
I, with help from M. Babinsky, managed to find a way how
to change<br>
the identity during acceptance cest run, which allows<br>
<br>
<br>
to test CA ACLs (and perhaps other areas with some form of
access<br>
controll).<br>
<br>
<br>
<br>
<br>
This allowed me to write a test for CA ACLs and
certificate<br>
profiles that checks if the ACL/profile is being used and<br>
enforced.<br>
<br>
<br>
The first several tests are based on Fraser's blogpost
using SMIME<br>
profile [1].<br>
<br>
<br>
<br>
<br>
The master and ipa-4-2 branches diverged a bit, so I had
to change<br>
two commits when rebasing to ipa-4-2 branch.<br>
<br>
<br>
<br>
<br>
Commits should be applied in the order (including rebased
patches<br>
I sent in an earlier email):<br>
<br>
<br>
<br>
<br>
master:<br>
<br>
<br>
* 12 - 17<br>
<br>
<br>
<br>
<br>
ipa-4-2:<br>
<br>
<br>
* 18, 13 - 15, 19, 17<br>
<br>
<br>
<br>
<br>
For convenience:<br>
<br>
<br>
patches on top of master:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/apophys/freeipa/tree/acl-profile-functional">https://github.com/apophys/freeipa/tree/acl-profile-functional</a><br>
<br>
<br>
patches on top of ipa-4-2:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/apophys/freeipa/tree/acl-42">https://github.com/apophys/freeipa/tree/acl-42</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
[1]:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/">https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/</a><br>
<br>
<br>
<br>
Cheers,<br>
<br>
<br>
Milan<br>
<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<br>
<br>
</blockquote>
<br>
<br>
<br>
NACK<br>
<br>
<br>
<br>
0)<br>
<br>
rpm file does not contain test_xmlrpc/data directory, please
modify<br>
setup.py.in.<br>
<br>
<br>
<br>
1)<br>
<br>
Code contains to much todo for my taste.<br>
<br>
<br>
<br>
2)<br>
<br>
Please do not use filter function, use dict comprehension.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
Hi,<br>
<br>
updated patches and the numbering mess somehow curbed. The
patches are rebased on top of current master and ipa-4-2.<br>
<br>
0) fixed by 0021<br>
<br>
1) docs for tracker extended, added more test cases<br>
<br>
2) changed<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Milan Kubik</pre>
</blockquote>
I have a few comments:<br>
<br>
1)<br>
+# TODO: rewrite these into Tracker instances<br>
+@pytest.fixture(scope='class')<br>
+def smime_user(request):<br>
+ api.Command.user_add(uid=u'alice', givenname=u'Alice',
sn=u'SMIME',<br>
+ userpassword=u'Change123')<br>
+<br>
+ unlock_principal_password('alice', 'Change123',
'Secret123')<br>
+<br>
+ def fin():<br>
+ api.Command.user_del(u'alice')<br>
+ request.addfinalizer(fin)<br>
+<br>
+ return u'alice'<br>
<br>
I do not like hardcoded password value, as this password is used
in many places in the test, I sugest to use a module variable<br>
</blockquote>
Done<br>
<blockquote cite="mid:5624D61E.20106@redhat.com" type="cite"> <br>
2)<br>
+class TestSignWithChangedProfile(XMLRPC_test):<br>
+ """ Test to verify that the updated profile is used."""<br>
+ pass # import invalid profile, try to sign, expect fail<br>
<br>
IMO something is missing here, a test maybe?<br>
<br>
</blockquote>
Done by using profile with constraint that CSR cannot meet.<br>
<blockquote cite="mid:5624D61E.20106@redhat.com" type="cite"> 3)<br>
# noqa<br>
Please remove "# noqa" commets from commits<br>
</blockquote>
<br>
Done.<br>
<br>
<pre class="moz-signature" cols="72">--
Milan Kubik</pre>
</blockquote>
<br>
NACK<br>
<br>
1) <br>
I still see many hardcoded passwords in the code<br>
with change_principal(smime_user, "Secret123"):<br>
<br>
2)<br>
Also the 'alice' username can be extracted to module variable
instead hardcoding<br>
<br>
3)<br>
File alice.conf.tmpl can be generalized to be used for more users,
replace alice in template to {username} and in code replace this
variable with alice, also do not forgot rename template to something
more general<br>
<br>
<br>
</body>
</html>