[Freeipa-devel] [PATCH] ca-less tests updated - POC

Lukas Slebodnik lslebodn at redhat.com
Thu Dec 10 13:47:34 UTC 2015 

On (06/11/15 14:04), Oleg Fayans wrote:
>Hi Jan,
>
>On 11/06/2015 09:01 AM, Jan Cholasta wrote:
>>Actually it might be better to keep them, but fix them to expect
>>ipa-server-certinstall to success.
>
>Done. Updated patch attached.
>Also in the patch 0013 I removed a trailing whitespace which caused lint to
>complain
>
>Now with domain level 0 the test output looks like this:
>
>[11:40:51]ofayans at vm-076:~]$ ipa-run-tests test_integration/test_caless.py
>====================================================================================
>test session starts =====================================================================================
>platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.6.4
>plugins: multihost, sourceorder
>collected 88 items
>
>test_integration/test_caless.py ......xx......ss...............xx........ss....................xx......ss...............
>
>===================================================================== 76
>passed, 6 skipped, 6 xfailed in 7871.10 seconds
>=====================================================================
>
>
>>
>>On 6.11.2015 08:47, Jan Cholasta wrote:
>>>Hi Oleg,
>>>
>>>I think you can just remove
>>>TestCertinstall.test_{http,ds}_intermediate_ca, the certificates are
>>>imported correctly in this case and I didn't see anything break.
>>>
>>>Honza
>>>
>>>On 5.11.2015 20:20, Oleg Fayans wrote:
>>>>Patch 0014 updated and passes lint
>>>>
>>>>On 11/05/2015 03:41 PM, Oleg Fayans wrote:
>>>>>Wait a bit, the patch has problems with pylint: it does not build :)
>>>>>The updated version (without the setupmaster nonsense) is being tested
>>>>>now.
>>>>>
>>>>>On 11/05/2015 08:45 AM, Oleg Fayans wrote:
>>>>>>Hi Jan,
>>>>>>
>>>>>>Could you take a look at these, whenever you are free?
>>>>>>
>>>>>>On 10/30/2015 02:57 PM, Oleg Fayans wrote:
>>>>>>>Hi,
>>>>>>>
>>>>>>>The following patches contain updates to ca-less integration tests.
>>>>>>>It's still a proof of concept: 2 tests still fail seemingly due to
>>>>>>>the
>>>>>>>change in target system logic (marked as xfail with "ask jcholast
>>>>>>>comment")
>>>>>>>
>>>>>>>The test output looks like this:
>>>>>>>
>>>>>>>$ ipa-run-tests test_integration/test_caless.py --pdb
>>>>>>>====================================================================================
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>test session starts
>>>>>>>=====================================================================================
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.6.4
>>>>>>>plugins: multihost, sourceorder
>>>>>>>collected 88 items
>>>>>>>
>>>>>>>test_integration/test_caless.py
>>>>>>>......xx......ss............sssssssssssssssssss.ssssss.........xx......ssxx.............
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>====================================================================
>>>>>>>53
>>>>>>>
>>>>>>>passed, 29 skipped, 6 xfailed in 5620.17 seconds
>>>>>>>=====================================================================
>>>>>>>
>>>>>>>Numerous skips correspond to the tests related to ipa-replica-prepare
>>>>>>>(unsupported under domain level 1)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>-- 
>Oleg Fayans
>Quality Engineer
>FreeIPA team
>RedHat.

>From 3142e9ab937b602a687639e7972422001e887211 Mon Sep 17 00:00:00 2001
>From: Oleg Fayans <ofayans at redhat.com>
>Date: Thu, 5 Nov 2015 16:25:29 +0100
>Subject: [PATCH] Updated the script creating test certificate chains
>
>https://fedorahosted.org/freeipa/ticket/4589
>---
> .../test_integration/scripts/caless-create-pki     | 29 ++++++++++++++--------
> 1 file changed, 18 insertions(+), 11 deletions(-)
>
>diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki
>index f428ebae16e05644a875a35faf192f75eb149740..4c37077ffdecfb0c70663c7c4817f102154d3b26 100644
>--- a/ipatests/test_integration/scripts/caless-create-pki
>+++ b/ipatests/test_integration/scripts/caless-create-pki
>@@ -3,7 +3,17 @@
> profile_ca=(-t CT,C,C -v 120)
> profile_server=(-t ,, -v 12)
> 
>-crl_path=${crl_path-$(readlink -f $dbdir)}
>+# crl_path=${crl_path-$(readlink -f $dbdir)}
>+profile_ca_request_options=(-1 -2 -4)
>+profile_ca_request_input="\$'0\n1\n5\n6\n9\ny\ny\n\ny\n1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'"
>+profile_ca_create_options=(-v 120)
>+profile_ca_add_options=(-t ,,)
>+
>+profile_server_request_options=(-4)
>+profile_server_request_input="\$'1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'"
>+profile_server_create_options=(-v 12)
>+profile_server_add_options=(-t ,,)
>+
> 
> serial_number=0
> 
>@@ -18,7 +28,11 @@ gen_cert() {
>         ca="$nick"
>     fi
> 
>+    echo $profile
>     eval "options=(\"\${profile_$profile[@]}\")"
>+    eval "request_options=(\"\${profile_${profile}_request_options[@]}\")"
>+    eval "eval request_input=(\"\${profile_${profile}_request_input[@]}\")"
>+
>     if [ "$ca" = "$nick" ]; then
>         options=("${options[@]}" -x -m 1)
>     else
>@@ -38,16 +52,7 @@ gen_cert() {
> 
>     csr="$(mktemp)"
>     crt="$(mktemp)"
>-    certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" -4 >/dev/null <<EOF
>-1
>-7
>-file://$crl_path/$ca.crl
>--1
>--1
>--1
>-n
>-n
>-EOF
>+    certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" "${request_options[@]}" >/dev/null <<<"$request_input"
>     serial_number=$(($serial_number+1))
>     certutil -C -d "$dbdir" -f "$pwfile" -m "$serial_number" -i "$csr" -o "$crt" "${options[@]}" "$@"
>     certutil -A -d "$dbdir" -n "$nick" -f "$pwfile" -i "$crt" "${options[@]}"
>@@ -117,3 +122,5 @@ gen_cert server replica-selfsign "CN=$server2,O=Self-signed"
> gen_subtree ca1 'Example Organization'
> gen_subtree ca1/subca 'Subsidiary Example Organization'
> gen_subtree ca2 'Other Example Organization'
>+gen_subtree ca3 'Unknown Organization'
>+certutil -D -d "$dbdir" -n ca3
>-- 
>2.4.3
>

>From e101c70bca6ed9d54b7aa6f19f0a76425cf411ea Mon Sep 17 00:00:00 2001
>From: Oleg Fayans <ofayans at redhat.com>
>Date: Fri, 6 Nov 2015 13:43:05 +0100
>Subject: [PATCH] Updated ca-less tests.
>
>A preview. All tests except 2 pass. Those 2 failing ones need a consulting from
>jcholast (so far marked as xfail).
>
>https://fedorahosted.org/freeipa/ticket/4589
>---
I had to use 3 way merge to apply this patch.

but I can still see failures with this patch
@see
_______________________ TestReplicaInstall.test_no_certs _______________________

self = <ipatests.test_integration.test_caless.TestReplicaInstall object at 0x7f5826d4e090>

    def test_no_certs(self):
        "IPA replica install without certificates"
        replica = self.replicas[0]
        if config.domain_level == 0:
            result = self.master.run_command(['ipa-replica-prepare',
                                              self.replicas[0].hostname,
                                              '-p', self.env['dirman_password']],
                                             raiseonerr=False)
            assert result.returncode > 0
            assert ('Cannot issue certificates: a CA is not installed. Use the '
                    '--http-cert-file, --dirsrv-cert-file options to provide '
                    'custom certificates.' in result.stderr_text), \
                result.stderr_text
    
        else:
            args = ["ipa-replica-install", "-U",
                    "-p", replica.config.dirman_password,
                    "-w", replica.config.admin_password,
                    "--ip-address", replica.ip, "--setup-ca"]
    
            tasks.install_client(self.master, replica)
            result = replica.run_command(args, raiseonerr=False)
>           assert ("The remote master does not have a CA installed,"
                    " can't proceed without certs" in result.stderr_text), \
                result.stderr_text
E           AssertionError: ipa         : ERROR    Reverse DNS resolution of address 10.16.65.13 (dell-pe1850-04.testrelm.test) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
E             ipa         : ERROR    The IP address 2620:52:0:1040:214:22ff:fe21:ca12 of host dell-pe1850-04.testrelm.test resolves to: dell-pe1850-04.rhts.eng.bos.redhat.com.. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
E             ipa         : ERROR    Cannot issue certificates: a CA is not installed. Use the --http-cert-file, --dirsrv-cert-file options to provide custom certificates.
E             ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
E             
E           assert "The remote master does not have a CA installed, can't proceed without certs" in 'ipa         : ERROR    Reverse DNS resolution of address 10.16.65.13 (dell-pe1850-04.testrelm.test) failed. Clients m...(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information\n'
E            +  where 'ipa         : ERROR    Reverse DNS resolution of address 10.16.65.13 (dell-pe1850-04.testrelm.test) failed. Clients m...(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information\n' = <pytest_multihost.transport.SSHCommand object at 0x7f5826e3bbd0>.stderr_text

test_integration/test_caless.py:785: AssertionError
---------------------------- Captured stdout setup -----------------------------

LS

More information about the Freeipa-devel mailing list