Adjust test to handle revocation reason REMOVE_FROM_CRL

The dogtag REST API has a change of behavior regarding revocation reason 8, REMOVE_FROM_CRL. The XML interface accepts it blindly and marks the certifiate as revoked. This is complicated within RFC 5280 but the jist is that it only affects a certificate on hold and only for delta CRLs. So this modifies the behavior of revocation 8 so that the certificate is put on hold (6) first. Fixes: https://pagure.io/freeipa/issue/9345 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
freeipa · Aug 28, 2023 · 317e706 · 317e706
1 parent ed52142
commit 317e706
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -473,14 +473,23 @@ def revoke_cert(self, reason):
                                           add=True, all=True)['result']
         serial_number = res['serial_number']
 
+        # REMOVE_FROM_CRL (8) needs to be on hold to revoke per RFC 5280
+        if reason == 8:
+            assert 'result' in api.Command['cert_revoke'](
+                serial_number, revocation_reason=6)
+
         # revoke created certificate
         assert 'result' in api.Command['cert_revoke'](
             serial_number, revocation_reason=reason)
 
         # verify that certificate is revoked with correct reason
         res2 = api.Command['cert_show'](serial_number, all=True)['result']
-        assert res2['revoked']
-        assert res2['revocation_reason'] == reason
+
+        if reason == 8:
+            assert res2['revoked'] is False
+        else:
+            assert res2['revoked']
+            assert res2['revocation_reason'] == reason
 
         # remove host
         assert 'result' in api.Command['host_del'](self.host_fqdn)