[Freeipa-devel] [patch 0038-0040] Sub CA test patches
Fraser Tweedale
ftweedal at redhat.com
Mon Jun 27 00:57:34 UTC 2016
On Fri, Jun 24, 2016 at 12:08:24PM +0200, Milan Kubík wrote:
> On 06/24/2016 03:42 AM, Fraser Tweedale wrote:
> > On Tue, Jun 21, 2016 at 05:01:35PM +0200, Milan Kubík wrote:
> > > Hi Fraser and list,
> > >
> > > I have made changes to the test plan on the wiki [1] according to the
> > > information in "[Testplan review] Sub CAs" thread.
> > >
> > > I also implemented the tests in the test plan:
> > >
> > > patch 0038 - CATracker and CA CRUD test
> > > patch 0039 - extension to CA ACL test
> > > patch 0040 - functional test with ACLs and certificate profile, reusing my
> > > previous S/MIME based tests. This patch also tests for the cert-request
> > > behavior when profile ID or CA cn are ommited.
> > >
> > > The tests ATM do not verify the Issuer name in the certificate itself, just
> > > from the ipa entry of the certificate.
> > >
> > The approach you are using::
> >
> > assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn
> >
> > is not quite as you describe (these are virtual attributes, not
> > attributes of an actual entry); but the approach is valid.
> The issue then is in the wording? The other approach I could have used here
> is to retrieve the two certificates and compare the fields manually.
> Are these virtual attributes created from the certificate itself?
>
That's correct.
> >
> > > Fraser, could you please verify my reasoning behind the test cases for
> > > cert-request in the patch 40?
> > >
> > The tests look OK. With the default CA / default profiles, is there
> > appropriate isolation between test cases to ensure that if, e.g.
> > some other test case adds/modifies CA ACLs such that these
> > expected-to-fail tests now pass, that this does not affect the
> > TestCertSignMIMEwithSubCA test case?
> >
> > Thanks,
> > Fraser
>
> The ACL, SMIME CA and S/MIME profile lifetime is constrained by the class
> scope
> enforced by pytest.
> The two test cases depend on the fact documented in the designs and that is
> what
> cert-request fallbacks to when CA or profile ID are not provided.
> Unless something changes caIPAserviceCert profile or affiliated ACL, then
> the test cases
> are safe.
>
If you have thought about possible interference from other tests, I
am happy.
Note another problematic scenario: what if a different (preceding)
test adds a CA ACL that would allow the requests that you expect to
fail? Just something to think about :)
Thanks,
Fraser
> I will try to think more about corner cases here.
> > > [1]: http://www.freeipa.org/page/V4/Sub-CAs/Test_Plan
> > >
> > > Cheers
> > >
> > > --
> > > Milan Kubik
> > >
> Attaching rebased patches and removing the expected fail from one of the
> tests as ticket 5981 has fix posted.
>
> --
> Milan Kubik
>
More information about the Freeipa-devel
mailing list